diff options
| author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2014-06-20 20:59:50 +0000 |
|---|---|---|
| committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2014-06-20 20:59:50 +0000 |
| commit | 56d12332cde6e7befa7b6e7415a9aac62d593138 (patch) | |
| tree | 0c065e159c04224b42f1f4d6fae4fd742101069c | |
| parent | d79d19128cb92f176801ff7add37bd62b1073d26 (diff) | |
wrap getenv OPENSSL_ALLOW_PROXY_CERTS in an issetugid check, to protect
setuid applications from being fooled.
ok miod
| -rw-r--r-- | lib/libssl/src/crypto/x509/x509_vfy.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/libssl/src/crypto/x509/x509_vfy.c b/lib/libssl/src/crypto/x509/x509_vfy.c index 4a485fc4847..b82af081c62 100644 --- a/lib/libssl/src/crypto/x509/x509_vfy.c +++ b/lib/libssl/src/crypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.28 2014/06/19 21:24:35 tedu Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.29 2014/06/20 20:59:49 deraadt Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -487,7 +487,7 @@ check_chain_extensions(X509_STORE_CTX *ctx) !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); /* A hack to keep people who don't want to modify their software happy */ - if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) + if (issetugid() == 0 && getenv("OPENSSL_ALLOW_PROXY_CERTS")) allow_proxy_certs = 1; purpose = ctx->param->purpose; } |