Validate keyword arguments to be valid

If using a dereferenced dict to call create_ca_signed_cert the **extensions kwargs will contain _all_ the kwargs. This causes errors when dereferencing arguments. This adds a test to ensure that the argument is the right type and contains the right keys to be a valid extension. Fixes issue 23872
2025-04-17 10:10:20 +00:00 · 2015-05-18 12:28:16 -07:00 · 2015-05-18 12:28:16 -07:00 · 493f7ad5f0
commit 493f7ad5f0
parent 7f6a716a8a
1 changed files with 7 additions and 6 deletions
--- a/salt/modules/tls.py
+++ b/salt/modules/tls.py
@ -847,12 +847,13 @@ def create_ca_signed_cert(ca_name, CN, days=365, cacert_path=None, digest='sha25
    cert.set_pubkey(req.get_pubkey())
    extensions_list = []
    for name in extensions:
-        log.debug("name: {0}, critical: {1}, options: {2}".format(
-            name, extensions[name]['critical'], extensions[name]['options']))
-        extensions_list.append(OpenSSL.crypto.X509Extension(
-            name,
-            extensions[name]['critical'],
-            extensions[name]['options']))
+        if type(extensions[name]) == dict and extensions[name].keys() == ['critical', 'options']:
+            log.debug("name: {0}, critical: {1}, options: {2}".format(
+                name, extensions[name]['critical'], extensions[name]['options']))
+            extensions_list.append(OpenSSL.crypto.X509Extension(
+                name,
+                extensions[name]['critical'],
+                extensions[name]['options']))
    cert.add_extensions(extensions_list)
    cert.sign(ca_key, digest)