Replace santize_path() and ignore Windows "security" warning

sanitize_path() is unnecessary and simply replaced by a condition in init_pki(), to protect against use of root / directory. Push the dubious Easy-RSA Windows "security" warning to verbose mode. Signed-off-by: Richard T Bonhomme <[email protected]>
OpenVPN · Oct 9, 2023 · 19720c0 · 19720c0
1 parent 00efeb8
commit 19720c0
Showing 1 changed file with 9 additions and 42 deletions.
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -1312,6 +1312,14 @@ You are about to remove the EASYRSA_PKI at:
 
 and initialize a fresh PKI here."
 
+		# EasyRSA will NOT do 'rm -rf /'
+		case "$EASYRSA_PKI" in
+		.|..|./|../|/|\\|?:|'')
+			if [ -w "$EASYRSA_PKI" ]; then
+				die "Invalid configuration."
+			fi
+		esac
+
 		# now remove it:
 		case "$reset" in
 		hard)
@@ -5584,7 +5592,7 @@ EasyRSA '$cmd' does not support --startdate or --enddate"
 	if [ "$easyrsa_host_os" = win ]; then
 		if echo "$PWD" | grep -q '/Prog.*/OpenVPN/easy-rsa'
 		then
-			warn "\
+			verbose "\
 Using Windows-System-Folders for your PKI is NOT SECURE!
 Your Easy-RSA PKI CA Private Key is WORLD readable.
 
@@ -5596,12 +5604,6 @@ To correct this problem, it is recommended that you either:
 		fi
 	fi
 
-	# Use of --silent and --verbose
-	if [ "$EASYRSA_SILENT" ] && [ "$EASYRSA_VERBOSE" ]; then
-		user_error "\
-Use of --silent and --verbose is unresolvable."
-	fi
-
 	verbose "mutual_exclusions: COMPLETED"
 } # => mutual_exclusions()
 
@@ -5869,9 +5871,6 @@ ${unexpected_error}"
 
 # Verify working environment
 verify_working_env() {
-	# Do not allow demented paths, eg: '/' or '\'
-	sanitize_path
-
 	# Verify SSL Lib - One time ONLY
 	verify_ssl_lib
 
@@ -5928,38 +5927,6 @@ Temporary directory does not exist:
 	verbose "verify_working_env: COMPLETED"
 } # => verify_working_env()
 
-# Sanitize demented directory names
-sanitize_path() {
-	# Sanitize PWD
-	verbose "Working dir: $PWD"
-	case "$PWD" in
-	*/|*\\|?:)
-		user_error "\
-EasyRSA cannot be run in the root directory: $PWD"
-	esac
-
-	# Sanitize EASYRSA
-	verbose "EASYRSA: $EASYRSA"
-	case "$EASYRSA" in
-	*/|*\\|?:)
-		user_error "Invalid EASYRSA: $EASYRSA"
-	esac
-
-	# Sanitize EASYRSA_PKI
-	verbose "EASYRSA_PKI: $EASYRSA_PKI"
-	case "$EASYRSA_PKI" in
-	*/|*\\|?:)
-		user_error "Invalid EASYRSA_PKI: $EASYRSA_PKI"
-	esac
-
-	# Sanitize EASYRSA_TEMP_DIR
-	verbose "EASYRSA_TEMP_DIR: $EASYRSA_TEMP_DIR"
-	case "$EASYRSA_TEMP_DIR" in
-	*/|*\\|?:)
-		user_error "Invalid EASYRSA_TEMP_DIR: $EASYRSA_TEMP_DIR"
-	esac
-} # => sanitize_path()
-
 # variable assignment by indirection.
 # Sets '$1' as the value contained in '$2'
 # and exports (may be blank)