vars: Forbid auto-loaded "$EASYRSA_PKI/vars" from changing the PKI

If a vars file in the PKI tries to change the expected PKI then fail. Allow vars file in the working directory to change the PKI. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
2023-09-19 03:21:25 +01:00 · 2023-09-19 03:21:25 +01:00 · 7b38d99b4c
commit 7b38d99b4c
parent f47b491346
1 changed files with 16 additions and 4 deletions
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@ -5665,15 +5665,16 @@ The 'vars' file was not found:
 		# If EASYRSA_PKI is set then it is user set,
 		# allow use of the default vars in the set PKI
 		if [ "$EASYRSA_PKI" ]; then
+			# EASYRSA_PKI will not be changed by vars
 			pki_vars="${EASYRSA_PKI}/vars"
-			user_pki_true=1
-			unset -v default_pki_true
 		else
 			# default pki/vars
 			# if this conflicts then bail
 			pki_vars="${PWD}/pki/vars"
-			default_pki_true=1
-			unset -v user_pki_true
+
+			# Setup "catch EXPECTED PKI changed"
+			# auto-load 'pki/vars' is FORBIDDEN to change PKI
+			expected_pki="${PWD}/pki"
 		fi

 		# vars of last resort; The Default
@ -5878,6 +5879,16 @@ Algorithm '$EASYRSA_ALGO' is invalid: Must be 'rsa', 'ec' or 'ed'"

 	set_var EASYRSA_MAX_TEMP		4

+	# Catch unexpected PKI change
+	if [ "$expected_pki" ]; then
+		[ "$expected_pki" = "$EASYRSA_PKI" ] || \
+			user_error "\
+The PKI was unexpectedly changed by the vars file.
+vars    : $vars
+Expected: $expected_pki
+Set     : $EASYRSA_PKI"
+	fi
+
 	# if the vars file in use is not in the PKI
 	# and not user defined then Show the messages
 	if [ "$require_pki" ]; then
@ -7040,6 +7051,7 @@ unset -v \
 	alias_days \
 	prohibit_no_pass \
 	found_vars no_new_vars user_vars_true \
+	expected_pki \
 	do_build_full error_build_full_cleanup \
 	internal_batch \
 	easyrsa_exit_with_error error_info