From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 1/2] vpnmain.cgi: Fix for 2nd part of bug10595 Date: Wed, 11 Dec 2024 17:00:44 +0000 Message-ID: In-Reply-To: <20241211115144.2837-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6255945966394351627==" List-Id: --===============6255945966394351627== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Adolf, > On 11 Dec 2024, at 11:51, Adolf Belka wrote: >=20 > - Bug10595 had two parts in it and was closed after the first part was fixe= d. The second > part was still unfixed at that time. I cam across it when checking out an= open bug on > a similar issue with OpenVPN. > - I found the section that checks on the CA Name and modified it to also al= low spaces. > - Having modified that then the subroutines getsubjectfromcert and getCNfro= mcert required > to have quotation marks put around the parameter that had the CA Name wit= h spaces in it > otherwise the openssl statement only got a filename with the first portio= n of the ca > name until the first space was encountered. > - Tested this change out on my vm and it worked fine. I was able to upload = a ca > certificate into IPSec and use spaces in the CA Name. >=20 > Fixes: Bug10595 part 2 > Tested-by: Adolf Belka > Signed-off-by: Adolf Belka > --- > html/cgi-bin/vpnmain.cgi | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > mode change 100755 =3D> 100644 html/cgi-bin/vpnmain.cgi >=20 > diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi > old mode 100755 > new mode 100644 > index 3541aaa29..694eeed76 > --- a/html/cgi-bin/vpnmain.cgi > +++ b/html/cgi-bin/vpnmain.cgi > @@ -245,7 +245,7 @@ sub callssl ($) { > ### > sub getCNfromcert ($) { > #&General::log("ipsec", "Extracting name from $_[0]..."); > - my $temp =3D `/usr/bin/openssl x509 -text -in $_[0]`; > + my $temp =3D `/usr/bin/openssl x509 -text -in '$_[0]'`; Oh no, this is really bad code and potentially exploitable. The =E2=80=98=E2= =80=99 make it at least safe for spaces as you intended, but someone could ty= pe in a name like =E2=80=9CBobby=E2=80=99 Tables=E2=80=9D and terminate the q= uoted string early. We have a function called &Generall::system_output() which takes the command = as an array and returns the output: https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dblob;f=3Dconfig/cfgroot/gene= ral-functions.pl;h=3D8ba6e3f79f0a9660ba8f8630ad0c7f1a3f6c988d;hb=3DHEAD#l54 It has safeguard so that nothing can be injected into the command line. So the code will look a little bit like: my @output =3D &General::system_output(=E2=80=9Copenssl=E2=80=9D, =E2=80=9C= x509=E2=80=9D, =E2=80=9C-text=E2=80=9D, =E2=80=9C-in=E2=80=9D, =E2=80=9C$_[0]= =E2=80=9D); foreach my $line (@output) { my $subject =3D~ /Subject:=E2=80=A6/; # basically the entire regular expr= ession } Do you want to have a try to implement it this way? There should be some othe= r places in vpnmain.cgi where this is being used. > $temp =3D~ /Subject:.*CN\s*=3D\s*(.*)[\n]/; > $temp =3D $1; > $temp =3D~ s+/Email+, E+; > @@ -259,7 +259,7 @@ sub getCNfromcert ($) { > ### > sub getsubjectfromcert ($) { > #&General::log("ipsec", "Extracting subject from $_[0]..."); > - my $temp =3D `/usr/bin/openssl x509 -text -in $_[0]`; > + my $temp =3D `/usr/bin/openssl x509 -text -in '$_[0]'`; > $temp =3D~ /Subject: (.*)[\n]/; > $temp =3D $1; > $temp =3D~ s+/Email+, E+; > @@ -644,8 +644,8 @@ END > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) { > &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash); >=20 > - if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) { > - $errormessage =3D $Lang::tr{'name must only contain characters'}; > + if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9 ]*$/) { > + $errormessage =3D $Lang::tr{'ca name must only contain characters or spac= es'}; Isn=E2=80=99t everything a character? > goto UPLOADCA_ERROR; > } >=20 > --=20 > 2.47.1 >=20 --===============6255945966394351627==--