| Message ID | 20251103150002.23187-1-gert@greenie.muc.de |
|---|---|
| State | Accepted |
| Headers |
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7001:a40d:b0:72f:f16c:e055 with SMTP id
vo13csp1459217mab;
Mon, 3 Nov 2025 07:00:16 -0800 (PST)
X-Forwarded-Encrypted: i=2;
AJvYcCWrZfINHdxsiF2lellVc8CacMEB9fq3a7+muwGPUJreK6vunaXfhAxk8FDkSOxNWH10A2x3ie8x3P8=@openvpn.net
X-Google-Smtp-Source:
AGHT+IEC8GYfiGpA35L/h2La6QKHISA+c6EcMqL0jM6aCncEwbZzLNivnW6kTFL+wzJXr4t7918B
X-Received: by 2002:a05:6e02:3106:b0:433:2cc0:f852 with SMTP id
e9e14a558f8ab-4332cc0f8a0mr55030835ab.26.1762182016451;
Mon, 03 Nov 2025 07:00:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1762182016; cv=none;
d=google.com; s=arc-20240605;
b=On3FAxW3Z3156gIiRG8vslP5yT8/SFALnFJtow65D8gc033xSnHfgkdmZ/B/tKBjlQ
XvwM8YRQKQCBRYDcWeQH4jr827YmKlvYppaXXVcya2UeeZU6Se/ih0KrnkhX9oUck1FB
YGR/VcT84TZhGG3d2QsTH1IcF/pUdjqviQDUwEquDKAj0QvZ89srPFvgIg6Ib+eWzp9m
plZRmmqrfz+A9rWwifDjJlyU2M1puiaq/vmZGKMsJ0+gqFs6VPX6w9cFBIUdgxrX0gh4
w5mto0q15fldJd9XXGdHB/ImizXDnqhXJX6BwHnmiic5JK+JtNqo6jjDLls8VeewKY2E
auag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20240605;
h=errors-to:content-transfer-encoding:list-subscribe:list-help
:list-post:list-archive:list-unsubscribe:list-id:precedence:subject
:mime-version:references:in-reply-to:message-id:date:to:from
:dkim-signature:dkim-signature:dkim-signature;
bh=JXHSozqIo+yet9r3oePVFZTCUuvclLj/zrjTrCd9uCU=;
fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
b=Xj3Rd5jw3PURnUAjj4D0DNFIXP/rrINEZrkESQPZFsWGRshmw/jJaDQOnxpphrLhqm
YhG3NwEuJygPSGZJ1kRMTg62BVqMW6qXywJz3ISKrW9fyEC+OblexiSrbd3g95tQstO4
TGaKaYHluYMbF04bF8ki4YZ1Thht7ZMt76wyOhXyzYWdvhEh2o9ErAlMNhJDJ1eBBDTb
rx1XVdjf1GgHREj2XKsIUGne1gV+4dpO6OYY7O/Dmgr2QUN46mgMLfex1ReRtnXPUw/S
0BQPX732jEsbr5u5msBrOqhpi+oT27CezBk6sCLsrpvM+qhLJYkTnnn/8dREwBGFoYuT
pcpg==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@lists.sourceforge.net header.s=beta
header.b=IjpOp38N;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=keDqIuwf;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=Ik+AC+uP;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
by mx.google.com with ESMTPS id
e9e14a558f8ab-43323b1799bsi50181405ab.82.2025.11.03.07.00.16
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Mon, 03 Nov 2025 07:00:16 -0800 (PST)
Received-SPF: pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
dkim=pass header.i=@lists.sourceforge.net header.s=beta
header.b=IjpOp38N;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=keDqIuwf;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=Ik+AC+uP;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:
List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
bh=JXHSozqIo+yet9r3oePVFZTCUuvclLj/zrjTrCd9uCU=; b=IjpOp38NmqrNBpplqjx39+u/ew
lRV2vHcQWO0yz4d78EignXmserry7VO9FcmB28qgG/fOXmc+uCFRmpzevdsG+jpkdJSHfwpDelksX
1ri2G2ecJDgFat09+0qu0D3jUdST2WnEu8ljJ1RQNgmqSJD5iRl09/TdoP1lgxvJT/zo=;
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95)
(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
id 1vFw2V-0005sK-Nw;
Mon, 03 Nov 2025 15:00:11 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
(envelope-from <gert@blue4.greenie.muc.de>) id 1vFw2T-0005sA-Tq
for openvpn-devel@lists.sourceforge.net;
Mon, 03 Nov 2025 15:00:09 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=c2gJgy0Yy72wrwwwVus2gC22znV+T6evPORTqNJbvCM=; b=keDqIuwf6JMiKdO6N8/HMdm3D+
jVm/e1ENW6unQpyLjOQOTaGNH3cfRObnKjfdctGTkrafT/Sx3BSWRtWHsoN9IbP9bsaiVZKPl5E67
CjypbZ0QEIUEr66mkJQXeWkjv+YbVCBPcL0wd/2mbovotnq8omoVB9JfGvVizG70FWxY=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
;
h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive;
bh=c2gJgy0Yy72wrwwwVus2gC22znV+T6evPORTqNJbvCM=; b=Ik+AC+uPepBeXYMqgEGALbZ7iv
eT5e2F2NjsdIrPC4/MYfw7f6k3RMlZMFgcQnEoNPpQBfyE8hf4wtyaSuQmRp0UrRLn1aFTe0gwrKj
axI6ZnOctxcUOjx8DrDGEMylXg9d81OllaDunJeAAUKE774NZnIzsJBZ4suYm3jKTEbk=;
Received: from [193.149.48.134] (helo=blue.greenie.muc.de)
by sfi-mx-2.v28.lw.sourceforge.com with esmtps
(TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
id 1vFw2T-00049E-1D for openvpn-devel@lists.sourceforge.net;
Mon, 03 Nov 2025 15:00:09 +0000
Received: from blue.greenie.muc.de (localhost [127.0.0.1])
by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5A3F02RO023255
for <openvpn-devel@lists.sourceforge.net>; Mon, 3 Nov 2025 16:00:02 +0100
Received: (from gert@localhost)
by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5A3F02qr023254
for openvpn-devel@lists.sourceforge.net; Mon, 3 Nov 2025 16:00:02 +0100
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Mon, 3 Nov 2025 15:59:56 +0100
Message-ID: <20251103150002.23187-1-gert@greenie.muc.de>
X-Mailer: git-send-email 2.49.1
In-Reply-To:
<gerrit.1762180786000.I356faeebfade1eed9b40d6700b13621c357ec5ac@gerrit.openvpn.net>
References:
<gerrit.1762180786000.I356faeebfade1eed9b40d6700b13621c357ec5ac@gerrit.openvpn.net>
MIME-Version: 1.0
X-Spam-Score: 1.3 (+)
X-Spam-Report: Spam detection software,
running on the system "sfi-spamd-2.hosts.colo.sdot.me",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: From: Selva Nair <selva.nair@gmail.com> Reported by:
<stephan@srlabs.de>
Change-Id: I356faeebfade1eed9b40d6700b13621c357ec5ac Signed-off-by: Selva
Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/13 [...]
Content analysis details: (1.3 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
X-Headers-End: 1vFw2T-00049E-1D
Subject: [Openvpn-devel] [PATCH v1] openvpnserv: Disallow stdin as config
unless user is authorized
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive:
<http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1847781769646037725?=
X-GMAIL-MSGID: =?utf-8?q?1847781769646037725?=
|
| Series |
[Openvpn-devel,v1] openvpnserv: Disallow stdin as config unless user is authorized
|
|
Commit Message
Gert Doering
Nov. 3, 2025, 2:59 p.m. UTC
From: Selva Nair <selva.nair@gmail.com> Reported by: <stephan@srlabs.de> Change-Id: I356faeebfade1eed9b40d6700b13621c357ec5ac Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1343 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1343 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering <gert@greenie.muc.de>
Comments
Thanks. I have not tested this beyond "stare at code", but this is
easy enough (and I have verified the counterpart in openvpn/options.c,
which does a streq() with "stdin", so it needs to be an exact match,
not a substring or anything else).
Your patch has been applied to the master and release/2.6 branch (bugfix).
commit a3d8c40260930ab82ca5d9d71796a7763e74a03d (master)
commit a7f5f570bfe30b86b5c7088450f96b77c86dca18 (release/2.6)
Author: Selva Nair
Date: Mon Nov 3 15:59:56 2025 +0100
openvpnserv: Disallow stdin as config unless user is authorized
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1343
Message-Id: <20251103150002.23187-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34156.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--
kind regards,
Gert Doering
diff --git a/src/openvpnserv/validate.c b/src/openvpnserv/validate.c index 2187fb5..ddaa381 100644 --- a/src/openvpnserv/validate.c +++ b/src/openvpnserv/validate.c @@ -68,6 +68,11 @@ const WCHAR *config_file = NULL; WCHAR config_dir[MAX_PATH]; + /* fname = stdin is special: do not treat it as a relative path */ + if (wcscmp(fname, L"stdin") == 0) + { + return FALSE; + } /* convert fname to full path */ if (PathIsRelativeW(fname)) {