From a82813527551f0e79c6d6ed5a9c1162e3c171bcf Mon Sep 17 00:00:00 2001 From: james Date: Mon, 17 Nov 2008 04:28:07 +0000 Subject: * Added additional method parameter to --script-security to preserve backward compatibility with system() call semantics used in OpenVPN 2.1_rc8 and earlier. To preserve backward compatibility use: script-security 3 system git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3495 e7ae566f-a301-0410-adde-c780ea21d3b5 --- options.c | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-) (limited to 'options.c') diff --git a/options.c b/options.c index 5e579e9..50f6982 100644 --- a/options.c +++ b/options.c @@ -193,10 +193,11 @@ static const char usage_message[] = "--setenv name value : Set a custom environmental variable to pass to script.\n" "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n" " directives for future OpenVPN versions to be ignored.\n" - "--script-security level : 0 -- strictly no calling of external programs\n" - " 1 -- (default) only call built-ins such as ifconfig\n" - " 2 -- allow calling of built-ins and scripts\n" - " 3 -- allow password to be passed to scripts via env\n" + "--script-security level mode : mode='execve' (default) or 'system', level=\n" + " 0 -- strictly no calling of external programs\n" + " 1 -- (default) only call built-ins such as ifconfig\n" + " 2 -- allow calling of built-ins and scripts\n" + " 3 -- allow password to be passed to scripts via env\n" "--shaper n : Restrict output to peer to n bytes per second.\n" "--keepalive n m : Helper option for setting timeouts in server mode. Send\n" " ping once every n seconds, restart if ping not received\n" @@ -1714,6 +1715,9 @@ options_postprocess_verify_ce (const struct options *options, const struct conne if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr) msg (M_USAGE, "--auth-user-pass-optional %s", postfix); } + + if ((options->ssl_flags & SSLF_NO_NAME_REMAPPING) && script_method == SM_SYSTEM) + msg (M_USAGE, "--script-security method='system' cannot be combined with --no-name-remapping"); } else { @@ -2843,11 +2847,14 @@ parse_line (const char *line, if (backslash && out) { if (!(out == '\\' || out == '\"' || space (out))) + { #ifdef ENABLE_SMALL - msg (msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num); + msg (msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num); #else - msg (msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num); + msg (msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num); #endif + return 0; + } } backslash = false; } @@ -4402,7 +4409,21 @@ add_option (struct options *options, { VERIFY_PERMISSION (OPT_P_GENERAL); script_security = atoi (p[1]); - } + if (p[2]) + { + if (streq (p[2], "execve")) + script_method = SM_EXECVE; + else if (streq (p[2], "system")) + script_method = SM_SYSTEM; + else + { + msg (msglevel, "unknown --script-security method: %s", p[2]); + goto err; + } + } + else + script_method = SM_EXECVE; + } else if (streq (p[0], "mssfix")) { VERIFY_PERMISSION (OPT_P_GENERAL); -- cgit v1.2.3