From ac646930a37504f838cd5686d015bf6d93cc9018 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 26 Sep 2010 08:36:27 -0700 Subject: [PATCH] Tighter validation of ipset names in the hosts file. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Zones.pm | 8 +++++++- Shorewall/releasenotes.txt | 12 ++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 3b8819784..b8712dfeb 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -1670,7 +1670,13 @@ sub process_host( ) { if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) { $interface = $1; $hosts = $2; - $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/; + + if ( $hosts =~ /^\+/ ) { + $zoneref->{options}{complex} = 1; + fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/; + fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/; + } + fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root}; } else { fatal_error "Invalid HOST(S) column contents: $hosts"; diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 52ee9d074..97d50327c 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -39,6 +39,18 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES This has been corrected so that a single ERROR message is generated. +4) Previously, an ipset name appearing in the /etc/shorewall/hosts + file could be qualified with a list of 'src' and/or 'dst' enclosed + in quotes. This was virtually guaranteed not to work since the set + must match when used to verify both a packet source and a + packet destination. Now, the following error is raised: + + ERROR: ipset name qualification is disallowed in this file + + As part of this change, the ipset name is now verified to begin + with a letter and be composed of letters, digits, underscores ("_") + and hyphens ("-"). + ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------