From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: [PATCH 1/2] vpnmain.cgi: Fix for 2nd part of bug10595 Date: Wed, 11 Dec 2024 18:28:05 +0100 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7415068676915416970==" List-Id: --===============7415068676915416970== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, On 11/12/2024 18:00, Michael Tremer wrote: > Hello Adolf, >=20 >> On 11 Dec 2024, at 11:51, Adolf Belka wrote: >> >> - Bug10595 had two parts in it and was closed after the first part was fix= ed. The second >> part was still unfixed at that time. I cam across it when checking out = an open bug on >> a similar issue with OpenVPN. >> - I found the section that checks on the CA Name and modified it to also a= llow spaces. >> - Having modified that then the subroutines getsubjectfromcert and getCNfr= omcert required >> to have quotation marks put around the parameter that had the CA Name w= ith spaces in it >> otherwise the openssl statement only got a filename with the first port= ion of the ca >> name until the first space was encountered. >> - Tested this change out on my vm and it worked fine. I was able to upload= a ca >> certificate into IPSec and use spaces in the CA Name. >> >> Fixes: Bug10595 part 2 >> Tested-by: Adolf Belka >> Signed-off-by: Adolf Belka >> --- >> html/cgi-bin/vpnmain.cgi | 8 ++++---- >> 1 file changed, 4 insertions(+), 4 deletions(-) >> mode change 100755 =3D> 100644 html/cgi-bin/vpnmain.cgi >> >> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi >> old mode 100755 >> new mode 100644 >> index 3541aaa29..694eeed76 >> --- a/html/cgi-bin/vpnmain.cgi >> +++ b/html/cgi-bin/vpnmain.cgi >> @@ -245,7 +245,7 @@ sub callssl ($) { >> ### >> sub getCNfromcert ($) { >> #&General::log("ipsec", "Extracting name from $_[0]..."); >> - my $temp =3D `/usr/bin/openssl x509 -text -in $_[0]`; >> + my $temp =3D `/usr/bin/openssl x509 -text -in '$_[0]'`; >=20 > Oh no, this is really bad code and potentially exploitable. The =E2=80=98= =E2=80=99 make it at least safe for spaces as you intended, but someone could= type in a name like =E2=80=9CBobby=E2=80=99 Tables=E2=80=9D and terminate th= e quoted string early. Just goes to show where my limits are. Now I know better. >=20 > We have a function called &Generall::system_output() which takes the comman= d as an array and returns the output: >=20 > https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dblob;f=3Dconfig/cfgroot/g= eneral-functions.pl;h=3D8ba6e3f79f0a9660ba8f8630ad0c7f1a3f6c988d;hb=3DHEAD#l54 >=20 > It has safeguard so that nothing can be injected into the command line. >=20 > So the code will look a little bit like: >=20 > my @output =3D &General::system_output(=E2=80=9Copenssl=E2=80=9D, =E2=80= =9Cx509=E2=80=9D, =E2=80=9C-text=E2=80=9D, =E2=80=9C-in=E2=80=9D, =E2=80=9C$_= [0]=E2=80=9D); >=20 > foreach my $line (@output) { > my $subject =3D~ /Subject:=E2=80=A6/; # basically the entire regular e= xpression > } >=20 > Do you want to have a try to implement it this way? There should be some ot= her places in vpnmain.cgi where this is being used. Yes, sure I will have a go at trying to use that approach and submit a v2 ver= sion of the patch set. >=20 >> $temp =3D~ /Subject:.*CN\s*=3D\s*(.*)[\n]/; >> $temp =3D $1; >> $temp =3D~ s+/Email+, E+; >> @@ -259,7 +259,7 @@ sub getCNfromcert ($) { >> ### >> sub getsubjectfromcert ($) { >> #&General::log("ipsec", "Extracting subject from $_[0]..."); >> - my $temp =3D `/usr/bin/openssl x509 -text -in $_[0]`; >> + my $temp =3D `/usr/bin/openssl x509 -text -in '$_[0]'`; >> $temp =3D~ /Subject: (.*)[\n]/; >> $temp =3D $1; >> $temp =3D~ s+/Email+, E+; >> @@ -644,8 +644,8 @@ END >> } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) { >> &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash); >> >> - if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) { >> - $errormessage =3D $Lang::tr{'name must only contain characters'}; >> + if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9 ]*$/) { >> + $errormessage =3D $Lang::tr{'ca name must only contain characters or spa= ces'}; >=20 > Isn=E2=80=99t everything a character? Yes, technically that is correct but then it should have previously said that= the name must only contain alphanumerics. The same statement is also used fo= r validation of the Name which is also only allowed to have alphanumerics but= the same message is used there of name must only contain characters. Should I change those uses of the word characters to alphanumerics. The wording is correct for the PSK where it says invalid characters found in = pre-shared key but that was modified to say Invalid single quotation mark fou= nd in pre-shared key. However I realise that I changed the English wording as= follows -'invalid characters found in pre-shared key' =3D> 'Invalid characters found = in pre-shared key.', +'invalid characters found in pre-shared key' =3D> 'Invalid single quotation = mark found in pre-shared key.', and I should also have changed the reference wording on the left hand side, o= therwise people doing other language translations will not choose the correct= wording. Regards, Adolf. >=20 >> goto UPLOADCA_ERROR; >> } >> >> --=20 >> 2.47.1 >> >=20 --===============7415068676915416970==--