bsdconfig: Make sure that SSID names are properly escaped

The f_menu_wpa_scan_results() function returns a list of networks
discovered by a scan.  The untrusted network names are evaluated in
f_dialog_menu_wireless_edit.  The quoting applied in
f_menu_wpa_scan_results() protects against evaluation of something like
"$(whoami)" but one can add single quotes to defeat that.

Pass the SSID names through f_shell_escape to work around this.  Escape
single quotes in f_dialog_wireless_edit() and f_menu_wireless_configs()
too for consistency.

I note that this module doesn't seem to actually work, see e.g.,
bugzilla PR 229883.

Approved by:	so
Security:	FreeBSD-SA-26:23.bsdinstall
Security:	CVE-2026-45255
Reported by:	Austin Ralls
Reviewed by:	dteske, des
Differential Revision:	https://reviews.freebsd.org/D56974
This commit is contained in:
Mark Johnston
2026-05-12 14:16:46 +00:00
parent 0f15f53590
commit 2afb4c979f
+3
View File
@@ -813,6 +813,7 @@ f_dialog_wireless_edit()
[ $nmatches -le ${#DIALOG_MENU_TAGS} ] || break
f_substr -v tag "$DIALOG_MENU_TAGS" $nmatches 1
f_shell_escape "$wssid" wssid
f_wireless_describe WIRELESS_$n help
menu_list1="$menu_list1
'$tag $wssid' '$wbssid' '$help'
@@ -1076,6 +1077,7 @@ f_menu_wireless_configs()
while [ $n -lt $nunique ]; do
n=$(( $n + 1 ))
menuitem_$n get ssid ssid
f_shell_escape "$ssid" ssid
menuitem_$n get nconfigs nconfigs
desc="$nconfigs $msg_configured_lc"
@@ -1184,6 +1186,7 @@ f_menu_wpa_scan_results()
while [ $n -lt $nunique ]; do
n=$(( $n + 1 ))
menuitem_$n get ssid ssid
f_shell_escape "$ssid" ssid
desc=
if [ "$DIALOG_MENU_WLAN_SHOW_ALL" ]; then