nuageinit: validate set-name to prevent shell injection in variable names
Shell variable names cannot be safely quoted with shell_escape() — only alphanumeric characters are valid. Add validation that set-name only matches [a-zA-Z0-9]+; invalid values are rejected with a warning and the rename is skipped entirely.
This commit is contained in:
@@ -429,8 +429,12 @@ local function network_config(obj)
|
|||||||
local ifaces = get_ifaces_by_mac()
|
local ifaces = get_ifaces_by_mac()
|
||||||
local matched = ifaces[v.match.macaddress]
|
local matched = ifaces[v.match.macaddress]
|
||||||
if matched and matched == interface then
|
if matched and matched == interface then
|
||||||
network:write("ifconfig_" .. interface .. "_name=" .. nuage.shell_escape(v["set-name"]) .. "\n")
|
if not v["set-name"]:match("^[a-zA-Z0-9]+$") then
|
||||||
interface = v["set-name"]
|
nuage.warn("set-name contains invalid characters, ignoring: " .. v["set-name"])
|
||||||
|
else
|
||||||
|
network:write("ifconfig_" .. interface .. "_name=" .. nuage.shell_escape(v["set-name"]) .. "\n")
|
||||||
|
interface = v["set-name"]
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
if v.dhcp4 then
|
if v.dhcp4 then
|
||||||
|
|||||||
Reference in New Issue
Block a user