Allow absolute paths to be set

It was a mistake to allow relative paths for include files (just
like root shouldn't have "." in its PATH), but we probably can't
change it now. Add a new pragma "abspath" that someone can put
in the system-wide config file to require absolute paths.

Also update the config documentation to better explain how file
inclusion works.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15090)

CHANGES.md

@@ -23,6 +23,11 @@ OpenSSL 3.0
 
 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
 
+ * Add ".pragma abspath:true" to prevent relative file inclusion in
+   config files.
+
+   * Rich Salz *
+
  * OpenSSL includes a cryptographic module that is intended to be FIPS 140-2
    validated. The module is implemented as an OpenSSL provider, the so-called
    FIPS provider. A list of all changes related to the FIPS provider would go

crypto/conf/conf_def.c

@@ -188,6 +188,23 @@ static int def_load(CONF *conf, const char *name, long *line)
     return ret;
 }
 
+
+/* Parse a boolean value and fill in *flag. Return 0 on error. */
+static int parsebool(const char *pval, int *flag)
+{
+    if (strcmp(pval, "on") == 0
+            || strcmp(pval, "true") == 0) {
+        *flag = 1;
+    } else if (strcmp(pval, "off") == 0
+            || strcmp(pval, "false") == 0) {
+        *flag = 0;
+    } else {
+        ERR_raise(ERR_LIB_CONF, CONF_R_INVALID_PRAGMA);
+        return 0;
+    }
+    return 1;
+}
+
 static int def_load_bio(CONF *conf, BIO *in, long *line)
 {
 /* The macro BUFSIZE conflicts with a system macro in VxWorks */
@@ -399,16 +416,11 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
                  * dollarid     takes "on", "true or "off", "false"
                  */
                 if (strcmp(p, "dollarid") == 0) {
-                    if (strcmp(pval, "on") == 0
-                        || strcmp(pval, "true") == 0) {
-                        conf->flag_dollarid = 1;
-                    } else if (strcmp(pval, "off") == 0
-                               || strcmp(pval, "false") == 0) {
-                        conf->flag_dollarid = 0;
-                    } else {
-                        ERR_raise(ERR_LIB_CONF, CONF_R_INVALID_PRAGMA);
+                    if (!parsebool(pval, &conf->flag_dollarid))
+                        goto err;
+                } else if (strcmp(p, "abspath") == 0) {
+                    if (!parsebool(pval, &conf->flag_abspath))
                         goto err;
-                    }
                 }
                 /*
                  * We *ignore* any unknown pragma.
@@ -429,6 +441,11 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
                 if (!str_copy(conf, psection, &include, p))
                     goto err;
 
+                if (conf->flag_abspath && !ossl_is_absolute_path(include)) {
+                    ERR_raise(ERR_LIB_CONF, CONF_R_RELATIVE_PATH);
+                    goto err;
+                }
+
                 if (include_dir != NULL && !ossl_is_absolute_path(include)) {
                     size_t newlen = strlen(include_dir) + strlen(include) + 2;
 

crypto/conf/conf_err.c

@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -41,6 +41,7 @@ static const ERR_STRING_DATA CONF_str_reasons[] = {
     "openssl conf references missing section"},
     {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_RECURSIVE_DIRECTORY_INCLUDE),
     "recursive directory include"},
+    {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_RELATIVE_PATH), "relative path"},
     {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_SSL_COMMAND_SECTION_EMPTY),
     "ssl command section empty"},
     {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_SSL_COMMAND_SECTION_NOT_FOUND),

crypto/err/openssl.txt

@@ -393,6 +393,7 @@ CONF_R_NUMBER_TOO_LARGE:121:number too large
 CONF_R_OPENSSL_CONF_REFERENCES_MISSING_SECTION:124:\
 	openssl conf references missing section
 CONF_R_RECURSIVE_DIRECTORY_INCLUDE:111:recursive directory include
+CONF_R_RELATIVE_PATH:125:relative path
 CONF_R_SSL_COMMAND_SECTION_EMPTY:117:ssl command section empty
 CONF_R_SSL_COMMAND_SECTION_NOT_FOUND:118:ssl command section not found
 CONF_R_SSL_SECTION_EMPTY:119:ssl section empty

doc/man5/config.pod

@@ -47,11 +47,21 @@ inside the B<pathname> are B<ignored>.  Similarly, if a file is opened
 while scanning a directory, and that file has an B<.include> directive
 that specifies a directory, that is also ignored.
 
-As a general rule, the B<pathname> should be an absolute path.  Relative
-paths are evaluated based on the current working directory, so unless the
-file with the B<.include> directive is application-specific, the inclusion
-will not work as expected.  The environment variable B<OPENSSL_CONF_INCLUDE>,
-if it exists, will be prepended to all B<.include> B<pathname>'s.
+As a general rule, the B<pathname> should be an absolute path; this can
+be enforced with the B<relpath> pragma, described below.
+The environment variable B<OPENSSL_CONF_INCLUDE>, if it exists,
+is prepended to all relative pathnames.
+If the pathname is still relative, it is interpreted based on the
+current working directory.
+
+To require all file inclusions to name absolute paths, use the following
+directive:
+
+ .progma [=] abspath:value
+
+The default behavior, where the B<value> is B<false> or B<off>, is to allow
+relative paths. To require all B<.include> pathnames to be absolute paths,
+use a B<value> of B<true> or B<on>.
 
 In these files, the dollar sign, B<$>, is used to reference a variable, as
 described below.  On some platforms, however, it is common to treat B<$>
@@ -60,22 +70,11 @@ done with the following directive:
 
  .pragma [=] dollarid:value
 
-Where B<value> is one of the following:
-
-=over 4
-
-=item B<off> or B<false>
-
-This is the default behavior. For example, C<foo$bar> is interpreted as
-C<foo> followed by the expansion of the variable C<bar>.
-
-=item B<on> or B<true>
-
-This specifies that dollar signs are part of the symbol name and
+The default behavior, where the B<value> is B<false> or B<off>, is to treat
+the dollarsign as indicating a variable name; C<foo$bar> is interpreted as
+C<foo> followed by the expansion of the variable C<bar>. If B<value> is
+B<true> or B<on>, then C<foo$bar> is a single seven-character name nad
 variable expansions must be specified using braces or parentheses.
-For example, C<foo$bar> is treated as a single seven-character name.
-
-=back
 
 =head2 Settings
 

include/crypto/conferr.h

@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy

include/openssl/conferr.h

@@ -38,6 +38,7 @@
 # define CONF_R_NUMBER_TOO_LARGE                          121
 # define CONF_R_OPENSSL_CONF_REFERENCES_MISSING_SECTION   124
 # define CONF_R_RECURSIVE_DIRECTORY_INCLUDE               111
+# define CONF_R_RELATIVE_PATH                             125
 # define CONF_R_SSL_COMMAND_SECTION_EMPTY                 117
 # define CONF_R_SSL_COMMAND_SECTION_NOT_FOUND             118
 # define CONF_R_SSL_SECTION_EMPTY                         119