From 7e320d274859d7b90acb6004f3abd19c28ad3914 Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@irq6.net>
Date: Tue, 11 Mar 2025 12:04:00 +0100
Subject: [PATCH] haproxy: don't leak private keys when doing --debug

It was reported in issue #6267 that the private key was leaked when
using the DEPLOY_HAPROXY_HOT_UPDATE=yes feature.

Indeed, the debugging code which sends commands to HAProxy was using
_debug even when passing the private key.

This patch fixes the issue by using _secure_debug when doing that.
---
 deploy/haproxy.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy/haproxy.sh b/deploy/haproxy.sh
index c8491d92..19509e3b 100644
--- a/deploy/haproxy.sh
+++ b/deploy/haproxy.sh
@@ -357,7 +357,7 @@ haproxy_deploy() {
         _info "Update existing certificate '${_pem}' over HAProxy ${_socketname}."
       fi
       _socat_cert_set_cmd="echo -e '${_cmdpfx}set ssl cert ${_pem} <<\n$(cat "${_pem}")\n' | socat '${_statssock}' - | grep -q 'Transaction created'"
-      _debug _socat_cert_set_cmd "${_socat_cert_set_cmd}"
+      _secure_debug _socat_cert_set_cmd "${_socat_cert_set_cmd}"
       eval "${_socat_cert_set_cmd}"
       _ret=$?
       if [ "${_ret}" != "0" ]; then