From b8fb090c167ff500a8d702f612a42914d4f0bb03 Mon Sep 17 00:00:00 2001 From: james Date: Sat, 6 Sep 2008 09:42:17 +0000 Subject: 2.1_rc8 and earlier did implicit shell expansion on script arguments since all scripts were called by system(). The security hardening changes made to 2.1_rc9 no longer use system(), but rather use the safer execve or CreateProcess system calls. The security hardening also introduced a backward incompatibility with 2.1_rc8 and earlier in that script parameters were no longer shell-expanded, so for example: client-connect "docc CLIENT-CONNECT" would fail to work because execve would try to execute a script called "docc CLIENT-CONNECT" instead of "docc" with "CLIENT-CONNECT" as the first argument. This patch fixes the issue, bringing the script argument semantics back to pre 2.1_rc9 behavior in order to preserve backward compatibility while still using execve or CreateProcess to execute the script/executable. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3311 e7ae566f-a301-0410-adde-c780ea21d3b5 --- ssl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'ssl.c') diff --git a/ssl.c b/ssl.c index cd1692b..f627999 100644 --- a/ssl.c +++ b/ssl.c @@ -718,7 +718,7 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx) setenv_str (opt->es, "script_type", "tls-verify"); - argv_printf (&argv, "%s %d %s", + argv_printf (&argv, "%sc %d %s", opt->verify_command, ctx->error_depth, subject); @@ -2937,7 +2937,7 @@ verify_user_pass_script (struct tls_session *session, const struct user_pass *up setenv_untrusted (session); /* format command line */ - argv_printf (&argv, "%s %s", session->opt->auth_user_pass_verify_script, tmp_file); + argv_printf (&argv, "%sc %s", session->opt->auth_user_pass_verify_script, tmp_file); /* call command */ retval = openvpn_execve (&argv, session->opt->es, S_SCRIPT); -- cgit v1.2.3