diff options
| author | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2008-07-26 07:27:03 +0000 |
|---|---|---|
| committer | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2008-07-26 07:27:03 +0000 |
| commit | 5a2e9a2587372aeb4b74fa1aadf53283ed7cae10 (patch) | |
| tree | bc79922f81699bc51c2ac047309e6ab594eebcd2 /socket.c | |
| parent | Added argv_x functions to buffer.[ch] to be used to safely build (diff) | |
| download | openvpn-5a2e9a2587372aeb4b74fa1aadf53283ed7cae10.tar.xz | |
Completely revamped the system for calling external programs and scripts:
* All external programs and scripts are now called by execve() on unix and
CreateProcess on Windows.
* The system() function is no longer used.
* Argument lists for external programs and scripts are now built by the new
argv_printf function which natively outputs to string arrays (i.e.
char *argv[] lists), never truncates its output, and eliminates the security
issues inherent in formatting and parsing command lines, and dealing with
argument quoting.
* The --script-security directive has been added to offer policy controls on
OpenVPN's execution of external programs and scripts.
Also added a new plugin example (openvpn/plugin/examples/log.c) that logs
information to stdout for every plugin method called by OpenVPN.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3122 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'socket.c')
| -rw-r--r-- | socket.c | 34 |
1 files changed, 26 insertions, 8 deletions
@@ -1480,6 +1480,22 @@ setenv_trusted (struct env_set *es, const struct link_socket_info *info) setenv_link_socket_actual (es, "trusted", &info->lsa->actual, SA_IP_PORT); } +static void +ipchange_fmt (const bool include_cmd, struct argv *argv, const struct link_socket_info *info, struct gc_arena *gc) +{ + const char *ip = print_sockaddr_ex (&info->lsa->actual.dest, NULL, 0, gc); + const char *port = print_sockaddr_ex (&info->lsa->actual.dest, NULL, PS_DONT_SHOW_ADDR|PS_SHOW_PORT, gc); + if (include_cmd) + argv_printf (argv, "%s %s %s", + info->ipchange_command, + ip, + port); + else + argv_printf (argv, "%s %s", + ip, + port); +} + void link_socket_connection_initiated (const struct buffer *buf, struct link_socket_info *info, @@ -1508,20 +1524,21 @@ link_socket_connection_initiated (const struct buffer *buf, /* Process --ipchange plugin */ if (plugin_defined (info->plugins, OPENVPN_PLUGIN_IPCHANGE)) { - const char *addr_ascii = print_sockaddr_ex (&info->lsa->actual.dest, " ", PS_SHOW_PORT, &gc); - if (plugin_call (info->plugins, OPENVPN_PLUGIN_IPCHANGE, addr_ascii, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS) + struct argv argv = argv_new (); + ipchange_fmt (false, &argv, info, &gc); + if (plugin_call (info->plugins, OPENVPN_PLUGIN_IPCHANGE, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS) msg (M_WARN, "WARNING: ipchange plugin call failed"); + argv_reset (&argv); } /* Process --ipchange option */ if (info->ipchange_command) { - struct buffer out = alloc_buf_gc (256, &gc); + struct argv argv = argv_new (); setenv_str (es, "script_type", "ipchange"); - buf_printf (&out, "%s %s", - info->ipchange_command, - print_sockaddr_ex (&info->lsa->actual.dest, " ", PS_SHOW_PORT, &gc)); - system_check (BSTR (&out), es, S_SCRIPT, "ip-change command failed"); + ipchange_fmt (true, &argv, info, &gc); + openvpn_execve_check (&argv, es, S_SCRIPT, "ip-change command failed"); + argv_reset (&argv); } gc_free (&gc); @@ -1791,7 +1808,8 @@ print_sockaddr_ex (const struct openvpn_sockaddr *addr, const int port = ntohs (addr->sa.sin_port); mutex_lock_static (L_INET_NTOA); - buf_printf (&out, "%s", (addr_defined (addr) ? inet_ntoa (addr->sa.sin_addr) : "[undef]")); + if (!(flags & PS_DONT_SHOW_ADDR)) + buf_printf (&out, "%s", (addr_defined (addr) ? inet_ntoa (addr->sa.sin_addr) : "[undef]")); mutex_unlock_static (L_INET_NTOA); if (((flags & PS_SHOW_PORT) || (addr_defined (addr) && (flags & PS_SHOW_PORT_IF_DEFINED))) |