[rs-dev] TransactionIDs on SCEP and filenames

Graham Leggett minfrin at sharp.fm
Sun Aug 13 23:14:53 CEST 2023


On 07 Aug 2023, at 22:18, Dirk-Willem van Gulik via rs-dev <rs-dev at redwax.eu> wrote:

> After looking into this some more - it seems that below patch / more protection is actually needed - it prevents the 1 in 20 fails on a CISCO SCEP all (when there are things like dots and /-esh in the KeyID).
> 
> So at the least below safe_filename() is needed (and not just wise) for the client controled KeyID. Looking at the serial files - those should be safe as they are essentially numbers (assuming a sensible length).
> 
> Not yet committed.

Definitely makes sense, and builds fine.

+1.

Regards,
Graham
—



More information about the rs-dev mailing list