bsdconfig: Make sure that SSID names are properly escaped
The f_menu_wpa_scan_results() function returns a list of networks discovered by a scan. The untrusted network names are evaluated in f_dialog_menu_wireless_edit. The quoting applied in f_menu_wpa_scan_results() protects against evaluation of something like "$(whoami)" but one can add single quotes to defeat that. Pass the SSID names through f_shell_escape to work around this. Escape single quotes in f_dialog_wireless_edit() and f_menu_wireless_configs() too for consistency. I note that this module doesn't seem to actually work, see e.g., bugzilla PR 229883. Approved by: so Security: FreeBSD-SA-26:23.bsdinstall Security: CVE-2026-45255 Reported by: Austin Ralls Reviewed by: dteske, des Differential Revision: https://reviews.freebsd.org/D56974
This commit is contained in:
@@ -813,6 +813,7 @@ f_dialog_wireless_edit()
|
||||
[ $nmatches -le ${#DIALOG_MENU_TAGS} ] || break
|
||||
f_substr -v tag "$DIALOG_MENU_TAGS" $nmatches 1
|
||||
|
||||
f_shell_escape "$wssid" wssid
|
||||
f_wireless_describe WIRELESS_$n help
|
||||
menu_list1="$menu_list1
|
||||
'$tag $wssid' '$wbssid' '$help'
|
||||
@@ -1076,6 +1077,7 @@ f_menu_wireless_configs()
|
||||
while [ $n -lt $nunique ]; do
|
||||
n=$(( $n + 1 ))
|
||||
menuitem_$n get ssid ssid
|
||||
f_shell_escape "$ssid" ssid
|
||||
|
||||
menuitem_$n get nconfigs nconfigs
|
||||
desc="$nconfigs $msg_configured_lc"
|
||||
@@ -1184,6 +1186,7 @@ f_menu_wpa_scan_results()
|
||||
while [ $n -lt $nunique ]; do
|
||||
n=$(( $n + 1 ))
|
||||
menuitem_$n get ssid ssid
|
||||
f_shell_escape "$ssid" ssid
|
||||
|
||||
desc=
|
||||
if [ "$DIALOG_MENU_WLAN_SHOW_ALL" ]; then
|
||||
|
||||
Reference in New Issue
Block a user