[Openvpn-devel] White-list pull-filter and script-security in interactive service

Message ID 1548172232-11268-1-git-send-email-selva.nair@gmail.com
State Accepted
Headers show
Series
  • [Openvpn-devel] White-list pull-filter and script-security in interactive service
Related show

Commit Message

Selva Nair Jan. 22, 2019, 3:50 p.m.
From: Selva Nair <selva.nair@gmail.com>

This allows the Windows GUI to use these options on the command
line without triggering user authorization errors.

Useful for
(i) ignoring certain pushed options such as "route-method" which
could otherwise bypass the interactive service
(ii) enforcing a safer script-security setting from the GUI

See also:
https://github.com/OpenVPN/openvpn-gui/issues/235#issuecomment-456142928

Signed-off-by: Selva Nair <selva.nair@gmail.com>
---
 src/openvpnserv/validate.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Gert Doering Jan. 22, 2019, 4:05 p.m. | #1
Acked-by: Gert Doering <gert@greenie.muc.de>

"Because it makes sense and moves toward making OpenVPN on Windows more
robust (pull-filter route-method) and secure (script-security)".  Code
change is simple enough :-)

Your patch has been applied to the master and release/2.4 branch
(security enhancement).

commit 0d94d433438f239ff7cf0749f765a503c698f5e8 (master)
commit b8190ecb33f8949f1b881c1cd240e8c1ea4fe144 (release/2.4)
Author: Selva Nair
Date:   Tue Jan 22 10:50:32 2019 -0500

     White-list pull-filter and script-security in interactive service

     Signed-off-by: Selva Nair <selva.nair@gmail.com>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <1548172232-11268-1-git-send-email-selva.nair@gmail.com>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18154.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/src/openvpnserv/validate.c b/src/openvpnserv/validate.c
index 9e1d7d2..9b01770 100644
--- a/src/openvpnserv/validate.c
+++ b/src/openvpnserv/validate.c
@@ -44,6 +44,8 @@  static const WCHAR *white_list[] =
     L"setenv",
     L"service",
     L"verb",
+    L"pull-filter",
+    L"script-security",
 
     NULL                                /* last value */
 };