diff mbox series

[Openvpn-devel,v1] openvpnserv: Disallow stdin as config unless user is authorized

Message ID 20251103150002.23187-1-gert@greenie.muc.de
State New
Headers show
Series [Openvpn-devel,v1] openvpnserv: Disallow stdin as config unless user is authorized | expand

Commit Message

Gert Doering Nov. 3, 2025, 2:59 p.m. UTC 
From: Selva Nair <selva.nair@gmail.com>

Reported by: <stephan@srlabs.de>

Change-Id: I356faeebfade1eed9b40d6700b13621c357ec5ac
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1343
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1343
This mail reflects revision 1 of this Change.

Acked-by according to Gerrit (reflected above):
Gert Doering <gert@greenie.muc.de>

Comments

Gert Doering Nov. 3, 2025, 3:21 p.m. UTC | #1 
Thanks.  I have not tested this beyond "stare at code", but this is
easy enough (and I have verified the counterpart in openvpn/options.c,
which does a streq() with "stdin", so it needs to be an exact match,
not a substring or anything else).

Your patch has been applied to the master and release/2.6 branch (bugfix).

commit a3d8c40260930ab82ca5d9d71796a7763e74a03d (master)
commit a7f5f570bfe30b86b5c7088450f96b77c86dca18 (release/2.6)
Author: Selva Nair
Date:   Mon Nov 3 15:59:56 2025 +0100

     openvpnserv: Disallow stdin as config unless user is authorized

     Signed-off-by: Selva Nair <selva.nair@gmail.com>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1343
     Message-Id: <20251103150002.23187-1-gert@greenie.muc.de>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34156.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
diff mbox series

Patch

diff --git a/src/openvpnserv/validate.c b/src/openvpnserv/validate.c
index 2187fb5..ddaa381 100644
--- a/src/openvpnserv/validate.c
+++ b/src/openvpnserv/validate.c
@@ -68,6 +68,11 @@ 
     const WCHAR *config_file = NULL;
     WCHAR config_dir[MAX_PATH];
 
+    /* fname = stdin is special: do not treat it as a relative path */
+    if (wcscmp(fname, L"stdin") == 0)
+    {
+        return FALSE;
+    }
     /* convert fname to full path */
     if (PathIsRelativeW(fname))
     {