Fix silly hole in zones file parsing

2024-11-27 10:03:41 +01:00 · 2009-08-30 08:05:10 -07:00 · 2009-08-30 08:05:10 -07:00 · 2bb92a79f3
commit 2bb92a79f3
parent 57ca3591e5
5 changed files with 15 additions and 8 deletions
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@ -49,7 +49,7 @@ our $export;

 our $test;

-our $family = F_IPV4;
+our $family;

 #
 # Initilize the package-globals in the other modules
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -683,15 +683,16 @@ sub cleanup() {
    #
    # Close files first in case we're running under Cygwin
    #
-    close  $object         if $object;
-    close  $scriptfile     if $scriptfile;
-    close  $log            if $log;
+    close  $object, $object = undef         if $object;
+    close  $scriptfile, $scriptfile = undef if $scriptfile;
+    close  $log, $log = undef               if $log;
    #
    # Unlink temporary files
    #
-    unlink $tempfile       if $tempfile;
-    unlink $scriptfilename if $scriptfilename;
+    unlink $tempfile, $tempfile = undef             if $tempfile;
+    unlink $scriptfilename, $scriptfilename = undef if $scriptfilename;
    unlink $_ for @tempfiles;
+    @tempfiles = ();
 }

 #
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@ -359,8 +359,8 @@ sub process_zone( \$ ) {
    fatal_error "Invalid zone name ($zone)"      if $reservedName{$zone} || $zone =~ /^all2|2all$/;
    fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone};

-    if ( $type =~ /ipv([46])?/i ) {
-	fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
+    if ( $type =~ /^ip(v([46]))?$/i ) {
+	fatal_error "Invalid zone type ($type)" if $1 && $2 != $family;
 	$type = IP;
 	$$ip = 1;
    } elsif ( $type =~ /^ipsec([46])?$/i ) {
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -29,6 +29,8 @@ Changes in Shorewall 4.4.1

 14) Fix rule generated by MULTICAST=Yes

+15) Fix silly hole in zones file parsing.
+
 Changes in Shorewall 4.4.0

 1)  Fix 'compile ... -' so that it no longer requires '-v-1'
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -255,6 +255,10 @@ None.
    /etc/shorewall/interfaces, multicast traffic will now be sent to
    the zone along with limited broadcasts.

+5)  A flaw in the parsing logic for the zones file allowed most zone
+    types containing the character string 'ip' to be accepted as a
+    synonym for 'ipv4' (or ipv6 if compiling an IPv6 configuration).
+
 ----------------------------------------------------------------------------
                 N E W   F E A T U R E S   I N   4 . 4
 ----------------------------------------------------------------------------