diff options
Diffstat (limited to '')
| -rw-r--r-- | src/core/exec-credential.c | 5 | ||||
| -rwxr-xr-x | test/units/TEST-54-CREDS.sh | 18 |
2 files changed, 23 insertions, 0 deletions
diff --git a/src/core/exec-credential.c b/src/core/exec-credential.c index e1b09f6718..45cb7f5ce2 100644 --- a/src/core/exec-credential.c +++ b/src/core/exec-credential.c @@ -502,6 +502,11 @@ static int load_credential_glob( free_and_replace(fn, renamed); } + if (!credential_name_valid(fn)) { + log_debug("Skipping credential with invalid name: %s", fn); + continue; + } + if (faccessat(write_dfd, fn, F_OK, AT_SYMLINK_NOFOLLOW) >= 0) { log_debug("Skipping credential with duplicated ID %s at %s", fn, *p); continue; diff --git a/test/units/TEST-54-CREDS.sh b/test/units/TEST-54-CREDS.sh index f0e6932825..29b789d361 100755 --- a/test/units/TEST-54-CREDS.sh +++ b/test/units/TEST-54-CREDS.sh @@ -279,6 +279,24 @@ echo -n ignored >/run/credstore/test.creds.second mkdir -p /etc/credstore echo -n b >/etc/credstore/test.creds.second echo -n c >/etc/credstore/test.creds.third +# Credential name cannot contain ':' +echo -n hoge >/etc/credstore/test.creds.hoge:invalid + +# Check if credentials with invalid names are not imported. +systemd-run -p "ImportCredential=test.creds.*" \ + --unit=test-54-ImportCredential.service \ + -p DynamicUser=1 \ + --wait \ + --pipe \ + test ! -e '${CREDENTIALS_DIRECTORY}/test.creds.hoge:invalid' + +# Check if credentials with invalid names are not imported (with renaming). +systemd-run -p "ImportCredentialEx=test.creds.*:renamed.creds." \ + --unit=test-54-ImportCredential.service \ + -p DynamicUser=1 \ + --wait \ + --pipe \ + test ! -e '${CREDENTIALS_DIRECTORY}/renamed.creds.hoge:invalid' # Check that all valid credentials are imported. systemd-run -p "ImportCredential=test.creds.*" \ |