From patchwork Mon Dec 8 19:40:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4664 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:29c3:b0:7b1:439f:bdf with SMTP id g3csp888319max; Mon, 8 Dec 2025 11:40:35 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUv0bXw1DcFdpeuuMdDbh5Lwiqsh7du2fNAvt+Fmr1L0aMBYzCJYCtlHjOGwqGuMWCV5LTVZVDYfDE=@openvpn.net X-Google-Smtp-Source: AGHT+IEtIaTQjRjsxaSFns+ItXPQnUPEdcbS3So57qNr7tkiYAjxLUsSVUzxrENiO8jWfn0Q/T7r X-Received: by 2002:a05:6830:3b08:b0:7c7:48b7:640a with SMTP id 46e09a7af769-7cac0e9eb85mr242651a34.7.1765222834938; Mon, 08 Dec 2025 11:40:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1765222834; cv=none; d=google.com; s=arc-20240605; b=c8KFxJTU44TmljFTh24AdmQw+82uw0cQ9nzv2VlbnTd+fVp7XbQfJgxFSL92up3VF8 7WcmmSFU46yL55fi7s08TK5AGDKtQFHQ6ZoyIaeWBlezN/Mw2nYau5XnqL4f1DriHODF 3DwpBip1ITOSceG6pIhRwia4R4L3a0IoHTvXj+mx2IARDoqL9glSlsZ2yJTvZFhtxAl9 /duQ+DpBPCym8++OFM0XdVa1sHzVWuH8uJqF5zYOnVcHx2EdhVRymV2Lh43/LESuniWr z0Zh/mgXahwBoVVFEnJn0FVTc3EYgW4V3kM6TpDqbXTtHZ8eRmeDKmvpoPMZY87i3nVk KMNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=EK47CEvyWAP/zRcKSjj9WirftWVRdOCDMLp/+KmatpQ=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=gEaXsWhqhY3kxQQz1V51H51SvgEaiihVzCcUP84cZBaTtj+P3IV809U7vtqWvAC/61 z7Ztpg/emWHoyzNT/RnJE2OH53NSnTJv5ERhanC/vhj6jqyIz8DZF/xhWfD1hi9bTCmB mg8nxSWnGuk8VPEFO9D4J2t9hW1FvJxW1qq0qNKVXB6cF8bTSWHqpVNN81lRffcECXd+ FkYKSWUwNtz/X3QcL47uvafbucSp+hvLuzhGpvkLmcTxQNGhvRchc/RXtlxmQt3AtDTn ZlLXOUfYbDg3motGz7QE6m5/ysQ5UXvIRFkOUHLam9oa7nFUsbVsuEM+mtNIo6L/uMSl FQWg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=nO5sWOTj; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=IjDnhMj7; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=D0PfzSfF; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-7c95a8f2e98si9940949a34.2.2025.12.08.11.40.34 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Dec 2025 11:40:34 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=nO5sWOTj; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=IjDnhMj7; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=D0PfzSfF; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=EK47CEvyWAP/zRcKSjj9WirftWVRdOCDMLp/+KmatpQ=; b=nO5sWOTjNWAoNlaRgaW6aR795K 2BkLE0KMqMpLPk0kCX+F3A3msWKdo03z/XFcRzXjrFXTTQebYSquW03tDSviDY2gKDLJmF/PfhZsh e1BU9xIJVvjWKuTVlLxAqPZqXaX767FcIqwgkDhQ4PqlEl/JJYwuS1oGuPc63YVmtE8o=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vSh60-0000Q7-Rd; Mon, 08 Dec 2025 19:40:32 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vSh5z-0000Pv-LG for openvpn-devel@lists.sourceforge.net; Mon, 08 Dec 2025 19:40:31 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=3n0hDPwSQVf1pkTp9SVcfcIpCchQehvFn1/F54GCXLs=; b=IjDnhMj7wadGz57S4TE5qlDEpd jl16DaLmGwjE/VEIfXhAiocdmrhFlSoaC+qsW/WaKVritUBvpQ7UAOUkdI5IwiYKyYh9TUTNPxK7D 0qHl5w8w8eqX5RqiRYQMuw3oa5w6QGRwlBBs0ihnunxZJWp0uv4K2f9xUb+te821w5sE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=3n0hDPwSQVf1pkTp9SVcfcIpCchQehvFn1/F54GCXLs=; b=D0PfzSfF3fHb68aj0EheJxm46+ J6THLicgn4YOcI+RzOwKAq3Y691CMxqMludJXY5JNZwWWHPhkOPnIcZ/1FBxZ3HxOeHqqAuCZIxcE 3PCTkcZ73jxsZgvhiIBoG20hJZPb3mC1wYKVfG0rJiV9JFAwU47uAd75gG8SuIjbid1o=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vSh5y-0002vM-QR for openvpn-devel@lists.sourceforge.net; Mon, 08 Dec 2025 19:40:31 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5B8JeORC017210 for ; Mon, 8 Dec 2025 20:40:24 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5B8JeOlE017209 for openvpn-devel@lists.sourceforge.net; Mon, 8 Dec 2025 20:40:24 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Mon, 8 Dec 2025 20:40:18 +0100 Message-ID: <20251208194023.17193-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair Pull-filter uses a simple string comparison and could be defeated by unusual formatting of pushed option strings. Document that this option is not meant to be used as a security measure. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vSh5y-0002vM-QR Subject: [Openvpn-devel] [PATCH v2] pull-filter: improve documentation X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1850970299309700030?= X-GMAIL-MSGID: =?utf-8?q?1850970299309700030?= From: Selva Nair Pull-filter uses a simple string comparison and could be defeated by unusual formatting of pushed option strings. Document that this option is not meant to be used as a security measure. Reported by: Change-Id: I2c8d40038e52fbdff1c56f93db1e6a2f9255c59a Signed-off-by: Selva Nair Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1415 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1415 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index e8523d9..17f0a6a 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -345,6 +345,14 @@ next remote succeeds. To silently ignore an option pushed by the server, use :code:`ignore`. + *Warning:* ``pull-filter`` cannot be relied upon as a security measure to + protect against offending options pushed by a server. For example, the + filter could be defeated by pushing options with extra spaces between + tokens or other formatting variations. In such situations, an "allow-list" + approach using specific ``pull-filter accept`` directives followed by a + generic ``pull-filter ignore`` should be preferred over a "deny-list" + approach. This improves robustness but does not guarantee security. + --push-peer-info Push additional information about the client to server. The following data is always pushed to the server: