Re: [Shorewall-devel] Bug in export_params()

[Tom Eastep]

On Fri, 2011-09-09 at 18:36 +0400, Dmitry Mikhirev wrote:
> Hello!
> 
> I want to pay your attention to realisation of export_params() function 
> (in Config.pm file). It exports environment variables without any 
> sanitizing, that sometimes can lead to errors, e.g. if variables contain 
> quotes and/or new line symbols.
> 
> The example is posted here: https://qa.mandriva.com/show_bug.cgi?id=64188
> The unusual value of $EDITOR leads to impossibility to start Shorewall.

Hello Dmitry,

Here is a patch that applies with an offset to 4.4.19 (which is what the
bug report refers to). It corrects the problem as far as I can tell.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 968007f..33cdfa2 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -3373,13 +3373,20 @@ sub export_params() {
 	#
 	# Don't export pairs from %ENV
 	#
-	if ( exists $ENV{$param} && defined $ENV{$param} ) {
+	if ( exists $ENV{$param} ) {
+	    next unless defined $ENV{$param};
 	    next if $value eq $ENV{$param};
+	    #
+	    # Don't export anything from %ENV that is multi-line
+	    # or that contains quotes. get_params() may have
+	    # changed the value so the above test will fail.
+	    #
+	    next if $value =~ /[\n'"]/;	
 	}
 
 	emit "#\n# From the params file\n#" unless $count++;
 
-	if ( $value =~ /[\s()[]/ ) {
+	if ( $value =~ /[\s()[`]/ ) {
 	    emit "$param='$value'";
 	} else {
 	    emit "$param=$value";

signature.asc
Description: This is a digitally signed message part

------------------------------------------------------------------------------
Why Cloud-Based Security and Archiving Make Sense
Osterman Research conducted this study that outlines how and why cloud
computing security and archiving is rapidly being adopted across the IT 
space for its ease of implementation, lower cost, and increased 
reliability. Learn more. http://www.accelacomm.com/jaw/sfnl/114/51425301/
_______________________________________________
Shorewall-devel mailing list
Shorewall-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-devel