From 5cb462dc39b468dffada532dfcb6340c510f9998 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 19 Oct 2023 00:41:23 +0100 Subject: [PATCH 1/2] escape_hazard(): Reuse source_vars() This catches misuse of command options for DN. eg: --dn-mode=org --req-ou="Test backtick: `" build-* foo Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index c26d21c4f..ce61c841a 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -996,13 +996,8 @@ export EASYRSA_REQ_SERIAL=\"$EASYRSA_REQ_SERIAL\"\ escape_hazard - Failed to write temp-file" # Reload fields from fully escaped temp-file - # shellcheck disable=SC1090 # can't follow ... - (. "$escape_hazard_tmp") || die "\ -escape_hazard - Failed to source temp-file" - + source_vars "$escape_hazard_tmp" verbose "escape_hazard: COMPLETED" - # shellcheck disable=SC1090 # can't follow ... - . "$escape_hazard_tmp" } # => escape_hazard() # Replace environment variable names with current value @@ -5684,12 +5679,6 @@ No Easy-RSA 'vars' configuration file exists!" # Source a vars file source_vars() { - # Never use vars file - if [ "$EASYRSA_NO_VARS" ]; then - verbose "source_vars: EASYRSA_NO_VARS" - return - fi - # File to be sourced target_file="$1" @@ -7223,7 +7212,7 @@ esac select_vars # source the vars file -source_vars "$EASYRSA_VARS_FILE" +[ "$EASYRSA_NO_VARS" ] || source_vars "$EASYRSA_VARS_FILE" # then set defaults default_vars From 5f207cda0eed642ebd7f47ef81ee0f930f3359b8 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 19 Oct 2023 02:51:22 +0100 Subject: [PATCH 2/2] source_vars(): Use grep efficiently Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 70 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 47 insertions(+), 23 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index ce61c841a..3c58c647a 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5701,36 +5701,60 @@ Using Easy-RSA 'vars' configuration: if grep -q \ -e 'EASYRSA_PASSIN' -e 'EASYRSA_PASSOUT' \ -e '[^(]`[^)]' \ + -e '[[:blank:]]export[[:blank:]]*' \ + -e '[[:blank:]]unset[[:blank:]]*' \ "$target_file" then - user_error "\ -One or more of these problems has been found in your 'vars' file: -* $target_file - -* Use of 'EASYRSA_PASSIN' or 'EASYRSA_PASSOUT': -Storing password information in the 'vars' file is not permitted. + # here we go .. + err_msg="\ +These problems have been found in your 'vars' settings:${NL}" + + # No passwords! + if grep -q \ + -e 'EASYRSA_PASSIN' -e 'EASYRSA_PASSOUT' \ + "$target_file" + then + err_msg="${err_msg} + Use of 'EASYRSA_PASSIN' or 'EASYRSA_PASSOUT': + Storing password information in the 'vars' file is not permitted." + fi -* Use of unsupported characters: -These characters are not supported: \` backtick + # No backticks + if grep -q \ + -e '[^(]`[^)]' \ + "$target_file" + then + err_msg="${err_msg} + Use of unsupported characters: + These characters are not supported: \` backtick" + fi -Please, correct these errors and try again." - fi + # No export + if grep -q \ + -e '[[:blank:]]export[[:blank:]]*' \ + "$target_file" + then + err_msg="${err_msg} + Use of 'export': + Remove 'export' or replace it with 'set_var'." + fi - # Sanitize vars - if grep -q \ - -e '[[:blank:]]export[[:blank:]]*' \ - -e '[[:blank:]]unset[[:blank:]]*' \ - "$target_file" - then - user_error "\ -One or more of these problems has been found in your 'vars' file: -* $target_file + # No unset + if grep -q \ + -e '[[:blank:]]unset[[:blank:]]*' \ + "$target_file" + then + err_msg="${err_msg} + Use of 'unset': + Remove 'unset' ('force_set_var' may also work)." + fi -* Use of 'export': -Remove 'export' or replace it with 'set_var'. + # Fatal error + user_error "${err_msg}${NL} +Please, correct these errors and try again." -* Use of 'unset': -Remove 'unset' ('force_set_var' may also work)." + else + verbose "source_vars: CLEAN '$target_file'" fi # Enable sourcing 'vars'