Dangerous prefix set
Shortfinga opened this issue · 1 comments
Hi,
I just noticed in some binaries using your library that they are looking in some weird places for an openss.cnf. The weird places is usually a path used for building the binaries. So I dug a bit deeper and found this code:
if host.contains("pc-windows-gnu") {
configure.arg(&format!("--prefix={}", sanitize_sh(&install_dir)));
} else {
configure.arg(&format!("--prefix={}", install_dir.display()));
}
Line 137 in 9f28b4c
I created the folders and indeed the config is loaded (strace indicates so) but unfortunately (for me) I did not manage to exploit this. This path should be kept restricted as CVE-2019-1552 indicates. (https://www.openssl.org/news/secadv/20190730.txt) OpenSSL sets a good default unfortunately it is overwritten by the library.
Could you drop that or offer a solution to set this to the OpenSSL default again?
Unfortunately I'm no rust dev so I cannot really test/debug stuff or even create a pull request. Anyways, thanks for looking into this!
Thanks for pointing this out! I posted what I think should fix this in #141