bsdinstall: Avoid invoking eval on the wlan SSID list

The wlanconfig utility is not careful about handling untrusted network
names, which can contain shell metacharacters.  Factor network selection
into a subroutine and use the `set -- "$@"` trick to build up a list of
positional parameters for bsddialog without evaluating them.

Approved by:	so
Security:	FreeBSD-SA-26:23.bsdinstall
Security:	CVE-2026-45255
Reported by:	Austin Ralls
Reviewed by:	dteske, des, asiciliano
Differential Revision:	https://reviews.freebsd.org/D56973
This commit is contained in:
Mark Johnston
2026-05-12 14:13:56 +00:00
parent a10bc81d33
commit 0f15f53590
+31 -16
View File
@@ -147,6 +147,34 @@ dialog_country_select()
country_set "$regdomain" "$country"
}
dialog_network_select()
{
local ssid flags height width rows prompt
# Avoid using eval on untrusted data.
set --
while IFS=$'\t' read -r ssid flags; do
[ -n "$ssid" ] || continue
set -- "$@" "$ssid" "$flags"
done <<EOF
$NETWORKS
EOF
f_dialog_title "Network Selection"
prompt="Select a wireless network to connect to."
f_dialog_menu_size height width rows \
"$DIALOG_TITLE" "$DIALOG_BACKTITLE" "$prompt" "" "$@"
$DIALOG \
--title "$DIALOG_TITLE" \
--backtitle "$DIALOG_BACKTITLE" \
--extra-button \
--extra-label "Rescan" \
--menu "$prompt" \
$height $width $rows \
"$@" \
2>&1 >&$DIALOG_TERMINAL_PASSTHRU_FD
}
############################################################ MAIN
: > "$BSDINSTALL_TMPETC/wpa_supplicant.conf"
@@ -213,27 +241,14 @@ while :; do
f_eval_catch -dk SCAN_RESULTS wlanconfig wpa_cli "wpa_cli scan_results"
NETWORKS=$( echo "$SCAN_RESULTS" | awk -F '\t' '
/..:..:..:..:..:../ && $5 { printf "\"%s\"\t\"%s\"\n", $5, $4 }
/..:..:..:..:..:../ && $5 { print $5 "\t" $4 }
' | sort | uniq )
if [ ! "$NETWORKS" ]; then
f_dialog_title "$msg_error"
f_yesno "No wireless networks were found. Rescan?" && continue
else
f_dialog_title "Network Selection"
prompt="Select a wireless network to connect to."
f_dialog_menu_size height width rows "$DIALOG_TITLE" \
"$DIALOG_BACKTITLE" "$prompt" "" $NETWORKS
NETWORK=$( eval $DIALOG \
--title \"\$DIALOG_TITLE\" \
--backtitle \"\$DIALOG_BACKTITLE\" \
--extra-button \
--extra-label \"Rescan\" \
--menu \"\$prompt\" \
$height $width $rows \
$NETWORKS \
2>&1 >&$DIALOG_TERMINAL_PASSTHRU_FD
)
NETWORK=$( dialog_network_select )
fi
retval=$?
f_dialog_data_sanitize NETWORK
@@ -270,7 +285,7 @@ while :; do
done
[ "$ENCRYPTION" ] || ENCRYPTION=$( echo "$NETWORKS" |
awk -F '\t' "/^\"$NETWORK\"\t/ { print \$2 }" )
awk -F '\t' "/^$NETWORK\t/ { print \$2 }" )
if echo "$ENCRYPTION" | grep -q PSK; then
PASS=$( $DIALOG \