From patchwork Tue Oct 28 10:16:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4531 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:2995:b0:72f:f16c:e055 with SMTP id f21csp1935931max; Tue, 28 Oct 2025 03:16:56 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVBBHnh10JvCUCQp1GtddSOD2CFwUSOmBPaaHGhZ6id1LrRWI/nDpc4Hu/kcICAu1ARx7ZFT08OpSc=@openvpn.net X-Google-Smtp-Source: AGHT+IFjpukCvbOqSUOcbPBVRSf16mH+VYsSrpcfJzNU8az5kbqq6jbhd0B+ag6Sh/Y1RhAXXO4f X-Received: by 2002:a05:6e02:3082:b0:431:d73b:ea91 with SMTP id e9e14a558f8ab-4320f6860bdmr45442895ab.0.1761646616747; Tue, 28 Oct 2025 03:16:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1761646616; cv=none; d=google.com; s=arc-20240605; b=GpVC+TXm56o7UBMYTZjbCrhRyywyPZHbMsb8P5I6H52QY9Iw6oWkxcxdLmDRqhlRHx 7S8KvYOszZZE9dcqhLrpfeVpJcUPLs/gnM5Oxz4GqzqQ2yxzgwQhq4qSQ1Epq3snsYsp 2TEWctPXRU9Nm0i194zlXlZp/Y0LoU9nh59Vu6Ha2dSNP93Xoakg8W7QxHx9Pl5W6Vox OZT8HQdjsRPd6SlkXuL6RGpV5gPkUnzD9ugIn6GmjA69GFMeuaUw6tQcHXJYJNBpweGG plPQMedRLF6TRjUP/uv2YljyNpNtQkIMaZKqhZzL4nh9zvD42RZcn40et9twaJZcJJfP nepw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=ZNh0Z/mmaFpalGx2lzTzdUBpceZUqXIylQHySZj1Iyc=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=ax2WHIUCuHjFqGdozKC2qbrCIeeY1kowNGeBv+6oO3IPKthNK44iJgSkWJuEfB/Pwt UT78zrBB0j+6U896D4xfDb1UDWENlqppvOauoEhK5vDLOjo2cpdGR2Q2vKRBJ7lRUt29 d033PnXH6YdyrcP/+Aw10IdXyCYTFI9380ryjx92szudNabkz2mtnlV0Z4Sb3mwzkqfv SYDOxMXeH6o1yDR33TGJP7P42hV3ixkESXtFXbEzeaqiBNJ63QD4uMyjtmjTRRKFuiAY w8kd+UFUpWPEcR/N3BeRgoJLr20YBarxsO8WGQZ4VDn3zjMtE5iJFSWZxRfAhAH4Xitq FbTw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b="l/aS5wdW"; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=cmZUejmY; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=nLQ8Kv6m; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id e9e14a558f8ab-431f7d97833si72027145ab.37.2025.10.28.03.16.56 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Oct 2025 03:16:56 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b="l/aS5wdW"; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=cmZUejmY; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=nLQ8Kv6m; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=ZNh0Z/mmaFpalGx2lzTzdUBpceZUqXIylQHySZj1Iyc=; b=l/aS5wdWV255klI7l1GNi/LMhI 3d1wn7HDS5V5Xooi90IQyBG1N62amHo0TojCiBMm8XaiEGP1RVwu81fUiyh2Ci04e2itPiLnSTYr0 p4sKvBkpDNVh2Elvr0rvVHqk9YrM1GKhUTcfVS1lD8GMOOMGt56ATuMA/qeqOhufDyb8=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vDgl2-00039s-8K; Tue, 28 Oct 2025 10:16:52 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vDgl0-00039k-Iw for openvpn-devel@lists.sourceforge.net; Tue, 28 Oct 2025 10:16:50 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=8UbXznWb4lu/BlnXny39WwzFZyzf9jJMu250hSDSL9g=; b=cmZUejmY2vyY/nnjdQLnLmyZQQ Snm2zC9MqqcLaqIjOpPrYreHZm30eWtx9JgTJDlbdkVtUdfTl5iPpnpmacdFsNDqzZF85Y8V36EkI nBQgLDRsikFnE1l0+vT6WhFyS6Yt9HRe+5IAQUl7SVf1QwG1qDMRXRIaIrxaakex6CZQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=8UbXznWb4lu/BlnXny39WwzFZyzf9jJMu250hSDSL9g=; b=nLQ8Kv6mM3sqCyjXO5RSCrHUM3 kzGZxpM1pIhIHVIRJZLhYybQB2sYVESrhbA3pMbgqhSau94KJ/FIrZoCktRTVDV2sZeCv2S82FSLh YyCkS4I8Ey8qv0u1LV4xRuSP3WULqUvh1BZaXYV3U/QMeP3cTPIxc7uxNIgdC6coL+3o=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vDgkz-0003oX-EQ for openvpn-devel@lists.sourceforge.net; Tue, 28 Oct 2025 10:16:50 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 59SAGg7Z011891 for ; Tue, 28 Oct 2025 11:16:42 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 59SAGgkZ011890 for openvpn-devel@lists.sourceforge.net; Tue, 28 Oct 2025 11:16:42 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Tue, 28 Oct 2025 11:16:36 +0100 Message-ID: <20251028101642.11874-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair Found by ZeroPath Change-Id: I8e884c00cb94f97a612056e8dca74d821a6d6386 Signed-off-by: Selva Nair Acked-by: Arne Schwabe Gerrit URL: https://gerrit.openvpn.net/c/openvpn [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URI: openvpn.net] 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vDgkz-0003oX-EQ Subject: [Openvpn-devel] [PATCH v1] Canonicalize config_dir before comparing with the config file location X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1847220363096276064?= X-GMAIL-MSGID: =?utf-8?q?1847220363096276064?= From: Selva Nair Found by ZeroPath Change-Id: I8e884c00cb94f97a612056e8dca74d821a6d6386 Signed-off-by: Selva Nair Acked-by: Arne Schwabe Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1318 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1318 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpnserv/CMakeLists.txt b/src/openvpnserv/CMakeLists.txt index 340b904..a92ee08 100644 --- a/src/openvpnserv/CMakeLists.txt +++ b/src/openvpnserv/CMakeLists.txt @@ -6,6 +6,11 @@ add_executable(openvpnserv) +include(CheckSymbolExists) + +# Some old versions of mingw does not have PATHCCH_OPTIONS enums -- add a check +check_symbol_exists(PATHCCH_ENSURE_TRAILING_SLASH pathcch.h HAVE_PATHCCH_ENSURE_TRAILING_SLASH) + set(MC_GEN_DIR ${CMAKE_CURRENT_BINARY_DIR}/mc) target_include_directories(openvpnserv PRIVATE @@ -31,7 +36,7 @@ ) target_link_libraries(openvpnserv advapi32.lib userenv.lib iphlpapi.lib fwpuclnt.lib rpcrt4.lib - shlwapi.lib netapi32.lib ws2_32.lib ntdll.lib ole32.lib) + shlwapi.lib netapi32.lib ws2_32.lib ntdll.lib ole32.lib pathcch.lib) if (MINGW) target_compile_options(openvpnserv PRIVATE -municode) target_link_options(openvpnserv PRIVATE -municode) diff --git a/src/openvpnserv/validate.c b/src/openvpnserv/validate.c index 59d5b86..2187fb5 100644 --- a/src/openvpnserv/validate.c +++ b/src/openvpnserv/validate.c @@ -25,6 +25,11 @@ #include #include #include +#include + +#ifndef HAVE_PATHCCH_ENSURE_TRAILING_SLASH +#define PATHCCH_ENSURE_TRAILING_SLASH 0x20 +#endif static const WCHAR *white_list[] = { L"auth-retry", @@ -61,7 +66,7 @@ { WCHAR tmp[MAX_PATH]; const WCHAR *config_file = NULL; - const WCHAR *config_dir = NULL; + WCHAR config_dir[MAX_PATH]; /* convert fname to full path */ if (PathIsRelativeW(fname)) @@ -74,9 +79,12 @@ config_file = fname; } - config_dir = s->config_dir; + /* canonicalize config_dir and add trailing slash before comparison */ + HRESULT res = PathCchCanonicalizeEx(config_dir, _countof(config_dir), s->config_dir, + PATHCCH_ENSURE_TRAILING_SLASH); - if (wcsncmp(config_dir, config_file, wcslen(config_dir)) == 0 + if (res == S_OK + && wcsncmp(config_dir, config_file, wcslen(config_dir)) == 0 && wcsstr(config_file + wcslen(config_dir), L"..") == NULL) { return TRUE;