Tighter validation of ipset names in the hosts file.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-09-26 08:36:27 -07:00 · 2010-09-26 08:36:27 -07:00 · ac646930a3
commit ac646930a3
parent 066c772fcd
2 changed files with 19 additions and 1 deletions
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@ -1670,7 +1670,13 @@ sub process_host( ) {
 	if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
 	    $interface = $1;
 	    $hosts = $2;
-	    $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
+
+	    if ( $hosts =~ /^\+/ ) {
+		$zoneref->{options}{complex} = 1;
+		fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
+		fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/;
+	    }
+
 	    fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -39,6 +39,18 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
    This has been corrected so that a single ERROR message is
    generated.

+4)  Previously, an ipset name appearing in the /etc/shorewall/hosts
+    file could be qualified with a list of 'src' and/or 'dst' enclosed
+    in quotes. This was virtually guaranteed not to work since the set
+    must match when used to verify both a packet source and a
+    packet destination. Now, the following error is raised:
+
+    	   ERROR: ipset name qualification is disallowed in this file
+
+    As part of this change, the ipset name is now verified to begin
+    with a letter and be composed of letters, digits, underscores ("_")
+    and hyphens ("-").
+
 ----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------