On Fri, Feb 19, 2021 at 10:54:29AM +0100, Claudio Jeker wrote:
> Better to make sure that all URI we ingest are sensitive. Similar check
> is already done in cert.c so also do it for the TAL files (even though
> these are normally controled by the user).
>
> OK?
ok
> --
> :wq Claudio
>
> Index: tal.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/tal.c,v
> retrieving revision 1.26
> diff -u -p -r1.26 tal.c
> --- tal.c 8 Jan 2021 08:09:07 -0000 1.26
> +++ tal.c 19 Feb 2021 09:21:18 -0000
> @@ -82,6 +82,7 @@ tal_parse_buffer(const char *fn, char *b
> char *nl, *line, *f, *file = NULL;
> unsigned char *der;
> size_t sz, dersz;
> + ssize_t i;
> int rc = 0;
> struct tal *tal = NULL;
> EVP_PKEY *pkey = NULL;
> @@ -101,6 +102,13 @@ tal_parse_buffer(const char *fn, char *b
> if (*line == '\0')
> break;
>
> + /* make sure only US-ASCII chars are in the URL */
> + for (i = 0; i < nl - line; i++) {
> + if (isalnum(line[i]) || ispunct(line[i]))
> + continue;
> + warnx("%s: invalid URI", fn);
> + goto out;
> + }
> /* Check that the URI is sensible */
> if (!(strncasecmp(line, "https://";, 8) == 0 ||
> strncasecmp(line, "rsync://", 8) == 0)) {
>
