On Fri, Feb 19, 2021 at 10:54:29AM +0100, Claudio Jeker wrote: > Better to make sure that all URI we ingest are sensitive. Similar check > is already done in cert.c so also do it for the TAL files (even though > these are normally controled by the user). > > OK?
ok > -- > :wq Claudio > > Index: tal.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/tal.c,v > retrieving revision 1.26 > diff -u -p -r1.26 tal.c > --- tal.c 8 Jan 2021 08:09:07 -0000 1.26 > +++ tal.c 19 Feb 2021 09:21:18 -0000 > @@ -82,6 +82,7 @@ tal_parse_buffer(const char *fn, char *b > char *nl, *line, *f, *file = NULL; > unsigned char *der; > size_t sz, dersz; > + ssize_t i; > int rc = 0; > struct tal *tal = NULL; > EVP_PKEY *pkey = NULL; > @@ -101,6 +102,13 @@ tal_parse_buffer(const char *fn, char *b > if (*line == '\0') > break; > > + /* make sure only US-ASCII chars are in the URL */ > + for (i = 0; i < nl - line; i++) { > + if (isalnum(line[i]) || ispunct(line[i])) > + continue; > + warnx("%s: invalid URI", fn); > + goto out; > + } > /* Check that the URI is sensible */ > if (!(strncasecmp(line, "https://", 8) == 0 || > strncasecmp(line, "rsync://", 8) == 0)) { >