> That'll probably work with some extra sanity checks on the file name.
> Ideally we should just pass the dev-node (empty if unspecified) and type of
> device (TAP6 or WINTUN), but that will require a lot of  duplication of
> code in the service, as you noted.
> One option is to pass the device guid in case of tap or the index in case
> of wintun and construct the path in the service. That requires very little
> extra code. Otherwise a thorough sanitization of the path is required as
> there could be obscure ways of breaking out using "..\" or otherwise,
> though I'm not sure. Things like \\.\C:\..\D:\ works on Windows so I won't
> take any chances.

You are right, just tested and one can escape global like this:


I'll do as you've proposed - pass a string which is either guid or number,
a boolean flag (wintun/tap6) and add some validation.

> PS. Just noticed you've already posted a v4 -- I haven't looked at it yet.

v5 is coming!

Openvpn-devel mailing list

Reply via email to