diff options
author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2014-06-20 20:59:50 +0000 |
---|---|---|
committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2014-06-20 20:59:50 +0000 |
commit | 3a95086d3fdfe5d805d059634af3cb7234d7972c (patch) | |
tree | eeb5421f3c0555e854143002cd34b2ead67cecb7 /lib | |
parent | a9df9a565106f6338c1928804fe8844b0359fc1d (diff) |
wrap getenv OPENSSL_ALLOW_PROXY_CERTS in an issetugid check, to protect
setuid applications from being fooled.
ok miod
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libcrypto/x509/x509_vfy.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c index 4a485fc4847..b82af081c62 100644 --- a/lib/libcrypto/x509/x509_vfy.c +++ b/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.28 2014/06/19 21:24:35 tedu Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.29 2014/06/20 20:59:49 deraadt Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -487,7 +487,7 @@ check_chain_extensions(X509_STORE_CTX *ctx) !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); /* A hack to keep people who don't want to modify their software happy */ - if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) + if (issetugid() == 0 && getenv("OPENSSL_ALLOW_PROXY_CERTS")) allow_proxy_certs = 1; purpose = ctx->param->purpose; } |