From 489d2238d23e503072ba3ee470c470c73031a7d9 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 16 Aug 2023 16:48:52 +0100 Subject: [PATCH] verify_working_env: sanitize_path(), forbid broken values Forbid any path ending with '/', '\' or ':' This protects user variables for paths from being set to the root folder. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 24d513e4a..d266feb41 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5867,6 +5867,9 @@ Algorithm '$EASYRSA_ALGO' is invalid: Must be 'rsa', 'ec' or 'ed'" # Verify working environment verify_working_env() { + # Do not allow demented paths, eg: '/' or '\' + sanitize_path + # Verify SSL Lib - One time ONLY verify_ssl_lib @@ -5923,6 +5926,38 @@ Temporary directory does not exist: verbose "verify_working_env: COMPLETED" } # => verify_working_env() +# Sanitize demented directory names +sanitize_path() { + # Sanitize PWD + verbose "Working dir: $PWD" + case "$PWD" in + */|*\\|?:) + user_error "\ +EasyRSA cannot be run in the root directory: $PWD" + esac + + # Sanitize EASYRSA + verbose "EASYRSA: $EASYRSA" + case "$EASYRSA" in + */|*\\|?:) + user_error "Invalid EASYRSA: $EASYRSA" + esac + + # Sanitize EASYRSA_PKI + verbose "EASYRSA_PKI: $EASYRSA_PKI" + case "$EASYRSA_PKI" in + */|*\\|?:) + user_error "Invalid EASYRSA_PKI: $EASYRSA_PKI" + esac + + # Sanitize EASYRSA_TEMP_DIR + verbose "EASYRSA_TEMP_DIR: $EASYRSA_TEMP_DIR" + case "$EASYRSA_TEMP_DIR" in + */|*\\|?:) + user_error "Invalid EASYRSA_TEMP_DIR: $EASYRSA_TEMP_DIR" + esac +} # => sanitize_path() + # variable assignment by indirection. # Sets '$1' as the value contained in '$2' # and exports (may be blank) @@ -5935,7 +5970,7 @@ set_var() { esac eval "export \"$1\"=\"\${$1-$2}\"" && return die "set_var - eval '$*'" -} #=> set_var() +} # => set_var() # sanatize and set var # nix.sh/win.sh/busybox.sh never return error from unset