From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 6 Sep 2012 20:04:21 +0000 (+0000)
Subject: Parse configuration files in a secure way.
X-Git-Tag: 005~47
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=144a8f963bd031e17504d79b76bba74694ef142c;p=network.git

Parse configuration files in a secure way.

Don't use the source function anymore which is unsecure.
---

diff --git a/functions.config b/functions.config
index 123e5f61..f10bcf14 100644
--- a/functions.config
+++ b/functions.config
@@ -26,13 +26,57 @@ function config_read_globals() {
 }
 
 function config_read() {
-	local config_file=${1}
-	assert isset config_file
+	local file=${1}
+	assert isset file
+	shift
+
+	local valid_keys=$@
+
+	# Exit if the file cannot be read.
+	[ -r "${file}" ] || return ${EXIT_ERROR}
+
+	local line key val
+	while read -r line; do
+		case "${line}" in
+			*=*)
+				key=$(cli_get_key ${line})
+
+				# If valid keys is set, key must be in the list.
+				if [ -n "${valid_keys}" ]; then
+					if ! listmatch ${key} ${valid_keys}; then
+						log DEBUG "Ignoring configuration setting: ${key}"
+						continue
+					fi
+				fi
+
+				val=$(cli_get_val ${line})
+				val=$(config_strip ${val})
+
+				# Assign variable.
+				printf -v ${key} "%s" "${val}"
+				;;
+			*)
+				log DEBUG "Invalid line in configuration file: ${line}"
+				continue
+				;;
+		esac
+	done < ${file}
+}
+
+# Strip leading and trailing "s.
+function config_strip() {
+	local var=${1}
+
+	if [ "${var:0:1}" = "\"" ]; then
+		var=${var:1}
+	fi
 
-	if [ -e "${config_file}" ]; then
-		. ${config_file}
-		config_check
+	local last=$(( ${#var} - 1 ))
+	if [ ${last} -gt 0 ] && [ "${var:${last}:1}" = "\"" ]; then
+		var=${var:0:${last}}
 	fi
+
+	print "${var}"
 }
 
 function config_write() {
@@ -93,6 +137,14 @@ function config_hostname() {
 	fi
 }
 
+function config_domainname() {
+	local hostname=$(config_hostname)
+
+	# Strip off the hostname part and just return
+	# the domain part.
+	print "${hostname#*.}"
+}
+
 function config_set() {
 	while [ $# -gt 0 ]; do
 		case "${1}" in
@@ -102,7 +154,7 @@ function config_set() {
 
 				log INFO "Setting configuration option '${key}=${val}'".
 
-				eval ${key}="${val}"
+				printf -v ${key} "%s" "${val}"
 				;;
 			*)
 				warning "Invalid parameter given: ${1}"
@@ -113,14 +165,15 @@ function config_set() {
 }
 
 function network_config_read() {
-	# Save state of DEBUG and restore it later.
-	local debug=${DEBUG}
-
-	config_read ${NETWORK_CONFIG_FILE}
+	local options=${NETWORK_CONFIG_FILE_PARAMS}
 
-	if [ -n "${debug}" ]; then
-		DEBUG=${debug}
+	# If the DEBUG variable has already been set,
+	# don't overwrite it.
+	if [ -n "${DEBUG}" ]; then
+		list_remove options DEBUG
 	fi
+
+	config_read ${NETWORK_CONFIG_FILE} ${options}
 }
 
 function network_config_write() {
@@ -135,7 +188,7 @@ function network_config_print() {
 }
 
 function firewall_config_read() {
-	config_read ${FIREWALL_CONFIG_FILE}
+	config_read ${FIREWALL_CONFIG_FILE} ${FIREWALL_CONFIG_PARAMS}
 }
 
 function firewall_config_write() {