Client CN with '/' in subject accesses subdirectory of clients/ config dir #31

New issue

Closed

opened 2026-05-17 23:13:43 +02:00 by heiko · 1 comment

heiko commented

2026-05-17 23:13:43 +02:00

Owner

Summary

cmd/cert-proxy-server/cnlist.go:15 opens the per-client config file using the raw X.509 Common Name:

cc, err := http.Dir(opt.ClientConfigDir).Open(cn)

http.Dir prevents ../ traversal, but a CN containing a forward slash (e.g. a/b) is treated as a path component: http.Dir.Open("a/b") opens clients/a/b rather than clients/a%2Fb.

A CA that issues a certificate with CN=subdir/name could cause the server to read a config file from an unexpected subdirectory of the clients directory.

Impact

Requires a compromised or permissive CA. If the clients directory contains subdirectories for other purposes, unexpected authorization files could be read.

Fix

Reject any CN that contains a path separator before using it as a filename:

if strings.ContainsAny(cn, "/\\") {
    return nil, fmt.Errorf("invalid CN %q: contains path separator", cn)
}

## Summary `cmd/cert-proxy-server/cnlist.go:15` opens the per-client config file using the raw X.509 Common Name: ```go cc, err := http.Dir(opt.ClientConfigDir).Open(cn) ``` `http.Dir` prevents `../` traversal, but a CN containing a forward slash (e.g. `a/b`) is treated as a path component: `http.Dir.Open("a/b")` opens `clients/a/b` rather than `clients/a%2Fb`. A CA that issues a certificate with CN=`subdir/name` could cause the server to read a config file from an unexpected subdirectory of the clients directory. ## Impact Requires a compromised or permissive CA. If the clients directory contains subdirectories for other purposes, unexpected authorization files could be read. ## Fix Reject any CN that contains a path separator before using it as a filename: ```go if strings.ContainsAny(cn, "/\\") { return nil, fmt.Errorf("invalid CN %q: contains path separator", cn) } ```

heiko added the

security

label

2026-05-17 23:13:43 +02:00

heiko commented

2026-05-20 15:59:50 +02:00

Author

Owner

Confirmed. http.Dir blocks .. traversal but treats / as a path separator, so a CN like a/b reads clients/a/b. Fix is a one-liner: reject CNs containing /, \, NUL, or that are empty / start with '.'. Will keep scope to cnList — the adjacent double-Close on cc is tracked separately in #32.

— 🤖 Generated with Claude Code (claude-opus-4-7)

Confirmed. http.Dir blocks .. traversal but treats / as a path separator, so a CN like a/b reads clients/a/b. Fix is a one-liner: reject CNs containing /, \\, NUL, or that are empty / start with '.'. Will keep scope to cnList — the adjacent double-Close on cc is tracked separately in #32. — 🤖 Generated with Claude Code (claude-opus-4-7)

heiko referenced this issue from a commit

2026-05-20 19:44:19 +02:00

test: add regression for CN path separator (#31)

heiko referenced this issue from a commit

2026-05-20 19:44:19 +02:00

fix: reject client CN containing path separator

heiko referenced this issue from a pull request that will close it,

2026-05-20 19:44:43 +02:00

fix: reject client CN containing path separator (#31) #37

heiko referenced this issue

2026-05-20 21:48:42 +02:00

serve.go: validate URL-derived domain (defense in depth, Windows considerations) #38