git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Lev Stipakov <lev@openvpn.net>
	Thu, 18 Sep 2025 17:34:40 +0000 (19:34 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Thu, 18 Sep 2025 17:49:03 +0000 (19:49 +0200)
commit	6c3afe508b15764eea4e5bdcbaed37c02c281d9a
tree	0fed250af28088537a2ce8fa57d88908d9e72f84	tree \| snapshot
parent	cabbf49ba267477c3015c3da9ee4bd45b1207211	commit \| diff

Validate DNS domain name before powershell invocation

Starting from commit

d383d6e ("win: replace wmic invocation with powershell")

we pass --dhcp-option DOMAIN value to a powershell command
to set DNS domain. Without validation this opens the door
to a command injection atack.

This only allows domain names with characters:

[A-Za-z0-9.-_\x80-\0xff]

Change-Id: I7a57d7b4e84aa2b9c9e71e30520ed468b0e3c278
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1198
Message-Id: <20250918173447.32466-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33071.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

src/openvpn/domain_helper.h	[new file with mode: 0644]	blob
src/openvpn/tun.c		diff \| blob \| blame \| history
src/openvpnserv/interactive.c		diff \| blob \| blame \| history