commit 793ad666bf5ec61392092b27061be9618e4e219b
author Roland Shoemaker <roland@golang.org> Wed May 25 12:54:08 2022 -0700
committer Roland Shoemaker <roland@golang.org> Wed May 25 23:09:36 2022 +0000
tree 91d32e7299638b5b2dcdd9f5edb7a50c16cf693f
parent 6f7dac9698988af7b704298c9fd8adf58e1d30c0

acme/autocert: properly clean DirCache paths

Don't assume the path passed into the DirCache methods is absolute, and
clean it before further operating on it. Put and Delete are not attacker
controlled, but clean them anyway.

Fixes #53082
Fixes CVE-2022-30636

Change-Id: I755f525a737da60ccba07ebce4d41cc8faebfcca
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/408694
Run-TryBot: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>

acme/autocert/cache.go

diff --git a/acme/autocert/cache.go b/acme/autocert/cache.go
index 03f6302..3156a08 100644
--- a/acme/autocert/cache.go
+++ b/acme/autocert/cache.go
@@ -41,7 +41,7 @@
 
 // Get reads a certificate data from the specified file name.
 func (d DirCache) Get(ctx context.Context, name string) ([]byte, error) {
-	name = filepath.Join(string(d), name)
+	name = filepath.Join(string(d), filepath.Clean("/"+name))
 	var (
 		data []byte
 		err  error
@@ -82,7 +82,7 @@
 		case <-ctx.Done():
 			// Don't overwrite the file if the context was canceled.
 		default:
-			newName := filepath.Join(string(d), name)
+			newName := filepath.Join(string(d), filepath.Clean("/"+name))
 			err = os.Rename(tmp, newName)
 		}
 	}()
@@ -96,7 +96,7 @@
 
 // Delete removes the specified file name.
 func (d DirCache) Delete(ctx context.Context, name string) error {
-	name = filepath.Join(string(d), name)
+	name = filepath.Join(string(d), filepath.Clean("/"+name))
 	var (
 		err  error
 		done = make(chan struct{})