From patchwork Tue Dec 9 07:02:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4667 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:29c3:b0:7b1:439f:bdf with SMTP id g3csp1148634max; Mon, 8 Dec 2025 23:02:32 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVq10TisKquph6Fa72XFfVhetAHwq26Erv4ff/d6gm6JVlXaYt3Bjn+FomRxIY6+hOv4kfgB3suZHw=@openvpn.net X-Google-Smtp-Source: AGHT+IHnbEzexzZXJQ2Iny8YvsJ6dmRbgRuJbZCeHeStAye9E5ImFJ3bWY9ppYtgzi5nCjt2qIFF X-Received: by 2002:a05:6871:d042:b0:3ec:3ff0:a714 with SMTP id 586e51a60fabf-3f543e212bfmr4253351fac.8.1765263752668; Mon, 08 Dec 2025 23:02:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1765263752; cv=none; d=google.com; s=arc-20240605; b=PRLg3sO5T+WXHRexEUAW1EtfqWo5OUP0BT+wsRVC6l3hnRbozFVxYzuIlhjCGL4JJp j/3LZpJEn9+wbEepK7T99VpKXrrJkKzwXVzlD5ARrOVKsFT+kxWnCXwmd0nu31+RdlID kDL3PmSd+XXFK4c98bJ29XMDjGq0qmKcGaWIj2+ikPq44J/mdgTubxV+cdpw+VaKkaPR eq97h17uE+pcc+Ig0CAlSGA205Yxs4aFnFvcQc0QvsGBO0EKQ+hORf9YFK2HeZyyeLYs En7Ay/chRRc1anO4dOcHp6H3J6LsrXOz1ewPEi0EKTIlI4WDJY2hs6ka9bD4Dw1DJJIg jbyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=1Jxdg+CuUNDvzdLpruBjVC+JY7olOSrdJyZwhD0Sb9M=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=dzMu57t3R/MhY4kisVdDOX5le8nSoNOX4XYDLCbEjP0c6h+JgRpQpu1uuFnexeZJJT fqTXgyfhmR3h4KPQ9TVPdXKc0GfYxgUGPRlBEv/+NK5jEndjpAFHd9HNpAElNT4hCdzY 3jAGi3Kwrz9HYJ4PvdxbaAT1ylN+Nm617nu6vMZ5fmwCN8our1fhLfc2VkCPPa0VzLeO CPZEUhjZma2NH1XDGisiEYAjdNBEhP28MDB+eij8mQvMg1P2MsjlRmbOIo/vUKDWQpRD DpufJzdHvNgOo3+3ilLLazp/+JveTsvgiAjVw+mD2/hqjnrDaPbdNDQsglpQrupwP5gd d6CQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=aO6EwzMv; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=HgaVmOJx; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=dqZIgk7X; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-3f54a81b5f3si6732194fac.166.2025.12.08.23.02.32 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Dec 2025 23:02:32 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=aO6EwzMv; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=HgaVmOJx; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=dqZIgk7X; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=1Jxdg+CuUNDvzdLpruBjVC+JY7olOSrdJyZwhD0Sb9M=; b=aO6EwzMvCTAwfDodhO9BRl2Vfi bRg+OUJ9clF6+UEG97rzkHBBtaMoF3WyDQ0p351cL4IkJPKIkWM9NljfLy09NdBkFhrLbbfBP1o6w yx7985l3gLR+Ykt5VRzKrNwfxepYCiOVFuMlDOw1P4uLYXb0NWNQYTw4kzehdYle5WAM=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vSrjy-0006rj-0d; Tue, 09 Dec 2025 07:02:30 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vSrjv-0006rc-SH for openvpn-devel@lists.sourceforge.net; Tue, 09 Dec 2025 07:02:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=7+7DGVfunnphOgnPtq96U4Mq/PpcV0D6NWc1xwfTY3g=; b=HgaVmOJxWIVuJxDKoz9rwOATST 95z048jhWkCYnIzoAd21aHVrjIWfPPL478MQIz0glpIvYSv8wmuAzLYSh2Xn3SRW8+KUDHL8ZAWr+ xgeu5N+EaG4bF5Ak/iac6FRpoqBFBhuMLSqxGSY93GrrdixdHPue6YqgroZDPvdrgZlM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=7+7DGVfunnphOgnPtq96U4Mq/PpcV0D6NWc1xwfTY3g=; b=dqZIgk7XvH3BHM/iuG3QNtw5JC tDkXVKwH1rZQxXK5tMoHIGr4p27RYOsU1sYyMBCBewr/3KeFaf+4dz+Ujvwn4rUrn9cQV/7phy8xh t6ucfaoWsxqpwi0bklf3r3kouREoKtM++SlcL1Pby3dvDc37NoPMQiYIcabPa6CLAB+A=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vSrju-0002lV-Gi for openvpn-devel@lists.sourceforge.net; Tue, 09 Dec 2025 07:02:27 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5B972Jp4004481 for ; Tue, 9 Dec 2025 08:02:19 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5B972JhZ004480 for openvpn-devel@lists.sourceforge.net; Tue, 9 Dec 2025 08:02:19 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Tue, 9 Dec 2025 08:02:11 +0100 Message-ID: <20251209070218.4467-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair Pull-filter uses a simple string comparison and could be defeated by unusual formatting of pushed option strings. Document that this option is not meant to be used as a security measure. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vSrju-0002lV-Gi Subject: [Openvpn-devel] [PATCH v3] pull-filter: improve documentation X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1850970299309700030?= X-GMAIL-MSGID: =?utf-8?q?1851013204526680153?= From: Selva Nair Pull-filter uses a simple string comparison and could be defeated by unusual formatting of pushed option strings. Document that this option is not meant to be used as a security measure. Reported by: Change-Id: I2c8d40038e52fbdff1c56f93db1e6a2f9255c59a Signed-off-by: Selva Nair Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1415 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1415 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index e8523d9..4841756 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -345,6 +345,11 @@ next remote succeeds. To silently ignore an option pushed by the server, use :code:`ignore`. + *Warning:* ``pull-filter`` cannot be relied upon as a security measure to + protect against offending options pushed by a server. For example, the + filter could be defeated by pushing options with extra spaces between + tokens or other formatting variations. + --push-peer-info Push additional information about the client to server. The following data is always pushed to the server: