The branch main has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=0f15f5359041ac50090606082a9c46d913ce7d0f

commit 0f15f5359041ac50090606082a9c46d913ce7d0f
Author:     Mark Johnston <[email protected]>
AuthorDate: 2026-05-12 14:13:56 +0000
Commit:     Mark Johnston <[email protected]>
CommitDate: 2026-05-20 19:34:50 +0000

    bsdinstall: Avoid invoking eval on the wlan SSID list
    
    The wlanconfig utility is not careful about handling untrusted network
    names, which can contain shell metacharacters.  Factor network selection
    into a subroutine and use the `set -- "$@"` trick to build up a list of
    positional parameters for bsddialog without evaluating them.
    
    Approved by:    so
    Security:       FreeBSD-SA-26:23.bsdinstall
    Security:       CVE-2026-45255
    Reported by:    Austin Ralls
    Reviewed by:    dteske, des, asiciliano
    Differential Revision:  https://reviews.freebsd.org/D56973
---
 usr.sbin/bsdinstall/scripts/wlanconfig | 47 ++++++++++++++++++++++------------
 1 file changed, 31 insertions(+), 16 deletions(-)

diff --git a/usr.sbin/bsdinstall/scripts/wlanconfig 
b/usr.sbin/bsdinstall/scripts/wlanconfig
index 33d94a933f45..aababf76c266 100755
--- a/usr.sbin/bsdinstall/scripts/wlanconfig
+++ b/usr.sbin/bsdinstall/scripts/wlanconfig
@@ -147,6 +147,34 @@ dialog_country_select()
        country_set "$regdomain" "$country"
 }
 
+dialog_network_select()
+{
+       local ssid flags height width rows prompt
+
+       # Avoid using eval on untrusted data.
+       set --
+       while IFS=$'\t' read -r ssid flags; do
+               [ -n "$ssid" ] || continue
+               set -- "$@" "$ssid" "$flags"
+       done <<EOF
+$NETWORKS
+EOF
+
+       f_dialog_title "Network Selection"
+       prompt="Select a wireless network to connect to."
+       f_dialog_menu_size height width rows \
+               "$DIALOG_TITLE" "$DIALOG_BACKTITLE" "$prompt" "" "$@"
+       $DIALOG \
+               --title "$DIALOG_TITLE"         \
+               --backtitle "$DIALOG_BACKTITLE" \
+               --extra-button                  \
+               --extra-label "Rescan"          \
+               --menu "$prompt"                \
+               $height $width $rows            \
+               "$@"                            \
+               2>&1 >&$DIALOG_TERMINAL_PASSTHRU_FD
+}
+
 ############################################################ MAIN
 
 : > "$BSDINSTALL_TMPETC/wpa_supplicant.conf"
@@ -213,27 +241,14 @@ while :; do
 
        f_eval_catch -dk SCAN_RESULTS wlanconfig wpa_cli "wpa_cli scan_results"
        NETWORKS=$( echo "$SCAN_RESULTS" | awk -F '\t' '
-               /..:..:..:..:..:../ && $5 { printf "\"%s\"\t\"%s\"\n", $5, $4 }
+               /..:..:..:..:..:../ && $5 { print $5 "\t" $4 }
        ' | sort | uniq )
 
        if [ ! "$NETWORKS" ]; then
                f_dialog_title "$msg_error"
                f_yesno "No wireless networks were found. Rescan?" && continue
        else
-               f_dialog_title "Network Selection"
-               prompt="Select a wireless network to connect to."
-               f_dialog_menu_size height width rows "$DIALOG_TITLE" \
-                       "$DIALOG_BACKTITLE" "$prompt" "" $NETWORKS
-               NETWORK=$( eval $DIALOG \
-                       --title \"\$DIALOG_TITLE\"         \
-                       --backtitle \"\$DIALOG_BACKTITLE\" \
-                       --extra-button                     \
-                       --extra-label \"Rescan\"           \
-                       --menu \"\$prompt\"                \
-                       $height $width $rows               \
-                       $NETWORKS                          \
-                       2>&1 >&$DIALOG_TERMINAL_PASSTHRU_FD
-               )
+               NETWORK=$( dialog_network_select )
        fi
        retval=$?
        f_dialog_data_sanitize NETWORK
@@ -270,7 +285,7 @@ while :; do
 done
 
 [ "$ENCRYPTION" ] || ENCRYPTION=$( echo "$NETWORKS" |
-       awk -F '\t' "/^\"$NETWORK\"\t/ { print \$2 }" )
+       awk -F '\t' "/^$NETWORK\t/ { print \$2 }" )
 
 if echo "$ENCRYPTION" | grep -q PSK; then
        PASS=$( $DIALOG \

Reply via email to