summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorTheo de Raadt <deraadt@cvs.openbsd.org>2014-06-20 20:59:50 +0000
committerTheo de Raadt <deraadt@cvs.openbsd.org>2014-06-20 20:59:50 +0000
commit3a95086d3fdfe5d805d059634af3cb7234d7972c (patch)
treeeeb5421f3c0555e854143002cd34b2ead67cecb7 /lib
parenta9df9a565106f6338c1928804fe8844b0359fc1d (diff)
wrap getenv OPENSSL_ALLOW_PROXY_CERTS in an issetugid check, to protect
setuid applications from being fooled. ok miod
Diffstat (limited to 'lib')
-rw-r--r--lib/libcrypto/x509/x509_vfy.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c
index 4a485fc4847..b82af081c62 100644
--- a/lib/libcrypto/x509/x509_vfy.c
+++ b/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.28 2014/06/19 21:24:35 tedu Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.29 2014/06/20 20:59:49 deraadt Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -487,7 +487,7 @@ check_chain_extensions(X509_STORE_CTX *ctx)
!!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
/* A hack to keep people who don't want to modify their
software happy */
- if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
+ if (issetugid() == 0 && getenv("OPENSSL_ALLOW_PROXY_CERTS"))
allow_proxy_certs = 1;
purpose = ctx->param->purpose;
}