git: 13fb6dbc738f - main - nuageinit: validate set-name to prevent shell injection in variable names
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 09 Jun 2026 16:04:32 UTC
The branch main has been updated by bapt:
URL: https://cgit.FreeBSD.org/src/commit/?id=13fb6dbc738f4ba30e78a8fb21efa1382c520d33
commit 13fb6dbc738f4ba30e78a8fb21efa1382c520d33
Author: Baptiste Daroussin <bapt@FreeBSD.org>
AuthorDate: 2026-06-09 14:24:56 +0000
Commit: Baptiste Daroussin <bapt@FreeBSD.org>
CommitDate: 2026-06-09 16:04:25 +0000
nuageinit: validate set-name to prevent shell injection in variable names
Shell variable names cannot be safely quoted with shell_escape() —
only alphanumeric characters are valid. Add validation that set-name
only matches [a-zA-Z0-9]+; invalid values are rejected with a
warning and the rename is skipped entirely.
---
libexec/nuageinit/nuageinit | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/libexec/nuageinit/nuageinit b/libexec/nuageinit/nuageinit
index 8ca1a2c558c8..ba26f504effb 100755
--- a/libexec/nuageinit/nuageinit
+++ b/libexec/nuageinit/nuageinit
@@ -429,8 +429,12 @@ local function network_config(obj)
local ifaces = get_ifaces_by_mac()
local matched = ifaces[v.match.macaddress]
if matched and matched == interface then
- network:write("ifconfig_" .. interface .. "_name=" .. nuage.shell_escape(v["set-name"]) .. "\n")
- interface = v["set-name"]
+ if not v["set-name"]:match("^[a-zA-Z0-9]+$") then
+ nuage.warn("set-name contains invalid characters, ignoring: " .. v["set-name"])
+ else
+ network:write("ifconfig_" .. interface .. "_name=" .. nuage.shell_escape(v["set-name"]) .. "\n")
+ interface = v["set-name"]
+ end
end
end
if v.dhcp4 then