From patchwork Fri Nov 14 21:29:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4601 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6d04:b0:7b1:439f:bdf with SMTP id e4csp1838569may; Fri, 14 Nov 2025 13:29:54 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVuR9Ad4fEERVP8xhK5mtWVYVYguEMt5jhYBX7+u1O7w0DW9JmFq5Aivat6j8K5vRGJwGIh4t8IwVs=@openvpn.net X-Google-Smtp-Source: AGHT+IFIXFfAiwLxgv11CyCdOXdN6xmiHJx9jmopQbYwLr+MLIl9KOMFe6WwM80url+5E1lTSJZD X-Received: by 2002:a05:6830:83b5:b0:7c7:1cce:727e with SMTP id 46e09a7af769-7c7445c4101mr2975259a34.35.1763155794787; Fri, 14 Nov 2025 13:29:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1763155794; cv=none; d=google.com; s=arc-20240605; b=dMD9KZ1I5oyLvRJI4+013q0K4K5ObjDPONkuQQ6vog/hOIpyadoySRQiAcOhcaQqvq Hjb9bG8IpmV5UjYjFs6mCUrfgCnbMzSUc3TmpHxDM1p3H7dJiQse10Ap6qeVP5TjoTVy gCmeg0QeMyMkq3smF1XZjL4YHU4HfSbGV46/jCvR+3u9Z0tzY8f172Z7JIpRxvx89GS3 5zCgawxcvJe8BuVftlPjTf/auVtfJfGYNWjrWkeYd4ImmmV+6rbjU6RodRAtFZgtV1BA H0aTCygMGSpr41Pb4Zce8muBzeCgXS4RLN7QQjYCkixST0OO6arJpzumCo8Ghkg5y8qO ELKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=1hUQ1ioND4DPZ15SF48mmqDbOhSkkCLaQtWEBgOVQdY=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=iDa89sHydZM1iL2pwvP43m5g7XX+pEtYoz6dj/cEtNYjBiPAmx4rf8m1VIQsoP72rj ts2M9QfMVLJJYjXLBXlsnor+Ea+UYGmvVjzIrJf7OxnD1ZxXN7ZTk2S6U5M1d5YJP2V1 QGttCQCvpKDbVpVOaLI2fZBxNQkenmbp1k9g32LqAmL6Tw21ae3vBMfyejd3MtI/XvpF RhrOGkmedWePQv3dNTj0MufVieBcFhj20UCCDEs8U5FFxWAYY1oR9NkwUAkcvy0Au1ri JtoTYLA9W8oeONCTunO6P8sgDmlnLeSCrUDMwNq9BZo23rHjfUiaM2bYffbBKgkmYbjv CC2A==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=Xo9qxSSq; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=OicroRjG; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=WonbVdlH; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-7c73a28d6d6si2575411a34.9.2025.11.14.13.29.54 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 14 Nov 2025 13:29:54 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=Xo9qxSSq; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=OicroRjG; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=WonbVdlH; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=1hUQ1ioND4DPZ15SF48mmqDbOhSkkCLaQtWEBgOVQdY=; b=Xo9qxSSqy1/EpapkMfMIJAyiT3 wZ3BUOaS1tZKdJ4zoiQSWXm1Fij3dajqCRBgPXFAiJgtUu47GBCFfSmEQpPVqzCzrVPp8iOJ1JFcu THp0cUOLMH1b1//htEI2CgDKDVknkQ5qNn0hVM7azsBmoyy5yWSU6gM+6Sjs+gw/qrmo=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vK1Md-0000xt-Ns; Fri, 14 Nov 2025 21:29:51 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vK1Mb-0000xn-C4 for openvpn-devel@lists.sourceforge.net; Fri, 14 Nov 2025 21:29:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=nXSRqZ0Gt8+/bFBPdebQ2sRTh9n88jVH4N2WXUUq7eY=; b=OicroRjG8tSl0qsz1FYZCYSU7D N6Zh0NHgliFfTFqYxUWnvFcypHr56Q9HGzioWYnux4Ks0s5DnDoCj6nlE4Gf1Li8CIFIZ+uxao2iU NTBcxf0QMCQrOOlDvPquL3Fy8+8l7jjmg2kKz8T1V2++Gv78Rkng5HfB8UC4nfrQ9RmY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=nXSRqZ0Gt8+/bFBPdebQ2sRTh9n88jVH4N2WXUUq7eY=; b=WonbVdlHDoe+kRvh5nQEX3ASMg RzdI+8ltftj0yVP4wPw7nCNqTfUy2MJMf2wRimfuvgVgarXw3uBg9icEI4ckhcvfIFIjcTfe/o43/ yNd/jpHE8Rkvbkq/RrL5mk8l7XlZu8fLGwJ5dEamDXkDvy+kUeCPE0Z1JIr+snzVxXxs=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vK1Ma-0006zV-GZ for openvpn-devel@lists.sourceforge.net; Fri, 14 Nov 2025 21:29:49 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5AELTagf007074 for ; Fri, 14 Nov 2025 22:29:36 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5AELTaWJ007073 for openvpn-devel@lists.sourceforge.net; Fri, 14 Nov 2025 22:29:36 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Fri, 14 Nov 2025 22:29:28 +0100 Message-ID: <20251114212936.7055-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lev Stipakov This prevents loading plugins from the directories which share initial characters with the trusted path. Reported-by: Joshua Rogers Found-by: ZeroPath (https://zeropath.com/) Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vK1Ma-0006zV-GZ Subject: [Openvpn-devel] [PATCH v2] win32: ensure plugin dir has the trailing slash X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1848802850365189354?= X-GMAIL-MSGID: =?utf-8?q?1848802850365189354?= From: Lev Stipakov This prevents loading plugins from the directories which share initial characters with the trusted path. Reported-by: Joshua Rogers Found-by: ZeroPath (https://zeropath.com/) Change-Id: I5ea90594493ab5cb858f7495f773e080b379e8e8 Signed-off-by: Lev Stipakov Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1332 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1332 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/CMakeLists.txt b/CMakeLists.txt index c9301e6..6888de3 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -245,6 +245,9 @@ check_symbol_exists(chsize io.h HAVE_CHSIZE) check_symbol_exists(getrlimit sys/resource.h HAVE_GETRLIMIT) +# Some old versions of mingw does not have PATHCCH_OPTIONS enums -- add a check +check_symbol_exists(PATHCCH_ENSURE_TRAILING_SLASH pathcch.h HAVE_PATHCCH_ENSURE_TRAILING_SLASH) + # Some OS (e.g. FreeBSD) need some basic headers to allow # including network headers set(NETEXTRA sys/types.h) @@ -338,7 +341,7 @@ if (WIN32) target_link_libraries(${target} PUBLIC ws2_32.lib crypt32.lib fwpuclnt.lib iphlpapi.lib - wininet.lib setupapi.lib rpcrt4.lib wtsapi32.lib ncrypt.lib bcrypt.lib) + wininet.lib setupapi.lib rpcrt4.lib wtsapi32.lib ncrypt.lib bcrypt.lib pathcch.lib) endif () endif () diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am index db87dfc..a2b5e92 100644 --- a/src/openvpn/Makefile.am +++ b/src/openvpn/Makefile.am @@ -166,5 +166,5 @@ $(OPTIONAL_INOTIFY_LIBS) if WIN32 openvpn_SOURCES += openvpn_win32_resources.rc wfp_block.c wfp_block.h -openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm -lfwpuclnt -lrpcrt4 -lncrypt -lsetupapi -lbcrypt +openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm -lfwpuclnt -lrpcrt4 -lncrypt -lsetupapi -lbcrypt -lpathcch endif diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c index df29dd7..3ed28f6 100644 --- a/src/openvpn/win32.c +++ b/src/openvpn/win32.c @@ -51,6 +51,12 @@ #include "wfp_block.h" +#include + +#ifndef HAVE_PATHCCH_ENSURE_TRAILING_SLASH +#define PATHCCH_ENSURE_TRAILING_SLASH 0x20 +#endif + /* * WFP handle */ @@ -1553,12 +1559,12 @@ return false; } - WCHAR plugin_dir[MAX_PATH] = { 0 }; + WCHAR plugin_dir_reg[MAX_PATH] = { 0 }; /* Attempt to retrieve the trusted plugin directory path from the registry, * using installation path as a fallback */ - if (!get_openvpn_reg_value(L"plugin_dir", plugin_dir, _countof(plugin_dir)) - && !get_openvpn_reg_value(NULL, plugin_dir, _countof(plugin_dir))) + if (!get_openvpn_reg_value(L"plugin_dir", plugin_dir_reg, _countof(plugin_dir_reg)) + && !get_openvpn_reg_value(NULL, plugin_dir_reg, _countof(plugin_dir_reg))) { msg(M_WARN, "Installation path could not be determined."); } @@ -1570,26 +1576,35 @@ msg(M_NONFATAL | M_ERRNO, "Failed to get system directory."); } - if ((wcslen(plugin_dir) == 0) && (wcslen(system_dir) == 0)) + if ((wcslen(plugin_dir_reg) == 0) && (wcslen(system_dir) == 0)) { return false; } - WCHAR normalized_plugin_dir[MAX_PATH] = { 0 }; + WCHAR plugin_dir[MAX_PATH] = { 0 }; - /* Normalize the plugin dir */ - if (wcslen(plugin_dir) > 0) + /* normalize and canonicalize the plugin dir and add trailing slash */ + if (wcslen(plugin_dir_reg) > 0) { - if (!GetFullPathNameW(plugin_dir, MAX_PATH, normalized_plugin_dir, NULL)) + WCHAR normalized_plugin_dir[MAX_PATH] = { 0 }; + if (!GetFullPathNameW(plugin_dir_reg, MAX_PATH, normalized_plugin_dir, NULL)) { msg(M_NONFATAL | M_ERRNO, "Failed to normalize plugin dir."); + } + + HRESULT res = PathCchCanonicalizeEx(plugin_dir, _countof(plugin_dir), normalized_plugin_dir, + PATHCCH_ENSURE_TRAILING_SLASH); + if (res != S_OK) + { + /* doc says we cannot rely on GetLastError() */ + msg(M_NONFATAL, "Failed to canonicalize plugin dir."); return false; } } /* Check if the plugin path resides within the plugin/install directory */ - if ((wcslen(normalized_plugin_dir) > 0) - && (wcsnicmp(normalized_plugin_dir, plugin_path, wcslen(normalized_plugin_dir)) == 0)) + if ((wcslen(plugin_dir) > 0) + && (wcsnicmp(plugin_dir, plugin_path, wcslen(plugin_dir)) == 0)) { return true; }