git: 7a2a3a32e0d0 - releng/15.1 - bsdinstall: Avoid invoking eval on the wlan SSID list
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 20 May 2026 19:38:56 UTC
The branch releng/15.1 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=7a2a3a32e0d0e94ddeddb2cce47fea940209beaa
commit 7a2a3a32e0d0e94ddeddb2cce47fea940209beaa
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-05-12 14:13:56 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-05-20 13:52:00 +0000
bsdinstall: Avoid invoking eval on the wlan SSID list
The wlanconfig utility is not careful about handling untrusted network
names, which can contain shell metacharacters. Factor network selection
into a subroutine and use the `set -- "$@"` trick to build up a list of
positional parameters for bsddialog without evaluating them.
Approved by: re
Approved by: so
Security: FreeBSD-SA-26:23.bsdinstall
Security: CVE-2026-45255
Reported by: Austin Ralls
Reviewed by: dteske, des, asiciliano
Differential Revision: https://reviews.freebsd.org/D56973
---
usr.sbin/bsdinstall/scripts/wlanconfig | 47 ++++++++++++++++++++++------------
1 file changed, 31 insertions(+), 16 deletions(-)
diff --git a/usr.sbin/bsdinstall/scripts/wlanconfig b/usr.sbin/bsdinstall/scripts/wlanconfig
index 33d94a933f45..aababf76c266 100755
--- a/usr.sbin/bsdinstall/scripts/wlanconfig
+++ b/usr.sbin/bsdinstall/scripts/wlanconfig
@@ -147,6 +147,34 @@ dialog_country_select()
country_set "$regdomain" "$country"
}
+dialog_network_select()
+{
+ local ssid flags height width rows prompt
+
+ # Avoid using eval on untrusted data.
+ set --
+ while IFS=$'\t' read -r ssid flags; do
+ [ -n "$ssid" ] || continue
+ set -- "$@" "$ssid" "$flags"
+ done <<EOF
+$NETWORKS
+EOF
+
+ f_dialog_title "Network Selection"
+ prompt="Select a wireless network to connect to."
+ f_dialog_menu_size height width rows \
+ "$DIALOG_TITLE" "$DIALOG_BACKTITLE" "$prompt" "" "$@"
+ $DIALOG \
+ --title "$DIALOG_TITLE" \
+ --backtitle "$DIALOG_BACKTITLE" \
+ --extra-button \
+ --extra-label "Rescan" \
+ --menu "$prompt" \
+ $height $width $rows \
+ "$@" \
+ 2>&1 >&$DIALOG_TERMINAL_PASSTHRU_FD
+}
+
############################################################ MAIN
: > "$BSDINSTALL_TMPETC/wpa_supplicant.conf"
@@ -213,27 +241,14 @@ while :; do
f_eval_catch -dk SCAN_RESULTS wlanconfig wpa_cli "wpa_cli scan_results"
NETWORKS=$( echo "$SCAN_RESULTS" | awk -F '\t' '
- /..:..:..:..:..:../ && $5 { printf "\"%s\"\t\"%s\"\n", $5, $4 }
+ /..:..:..:..:..:../ && $5 { print $5 "\t" $4 }
' | sort | uniq )
if [ ! "$NETWORKS" ]; then
f_dialog_title "$msg_error"
f_yesno "No wireless networks were found. Rescan?" && continue
else
- f_dialog_title "Network Selection"
- prompt="Select a wireless network to connect to."
- f_dialog_menu_size height width rows "$DIALOG_TITLE" \
- "$DIALOG_BACKTITLE" "$prompt" "" $NETWORKS
- NETWORK=$( eval $DIALOG \
- --title \"\$DIALOG_TITLE\" \
- --backtitle \"\$DIALOG_BACKTITLE\" \
- --extra-button \
- --extra-label \"Rescan\" \
- --menu \"\$prompt\" \
- $height $width $rows \
- $NETWORKS \
- 2>&1 >&$DIALOG_TERMINAL_PASSTHRU_FD
- )
+ NETWORK=$( dialog_network_select )
fi
retval=$?
f_dialog_data_sanitize NETWORK
@@ -270,7 +285,7 @@ while :; do
done
[ "$ENCRYPTION" ] || ENCRYPTION=$( echo "$NETWORKS" |
- awk -F '\t' "/^\"$NETWORK\"\t/ { print \$2 }" )
+ awk -F '\t' "/^$NETWORK\t/ { print \$2 }" )
if echo "$ENCRYPTION" | grep -q PSK; then
PASS=$( $DIALOG \