- Fix Config Injection in create_unbound_ad_servers.sh,

  reported by X41 D-Sec.

diff --git a/contrib/create_unbound_ad_servers.sh b/contrib/create_unbound_ad_servers.sh
index d31f078b3d39652a06d7b02f37f32fb9570d3ad1..49fdbffedfaff2b3e3266424c1b6397183f90f91 100644 (file)
--- a/contrib/create_unbound_ad_servers.sh
+++ b/contrib/create_unbound_ad_servers.sh
@@ -9,12 +9,13 @@
 # Variables
 dst_dir="/etc/opt/csw/unbound"
 work_dir="/tmp"
-list_addr="http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=1&startdate%5Bday%5D=&startdate%5Bmonth%5D=&startdate%5Byear%5D="
+list_addr="https://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=1&startdate%5Bday%5D=&startdate%5Bmonth%5D=&startdate%5Byear%5D="
 
 # OS commands
 CAT=`which cat`
 ECHO=`which echo`
 WGET=`which wget`
+TR=`which tr`
 
 # Check Wget installed
 if [ ! -f $WGET ]; then
@@ -22,8 +23,10 @@ if [ ! -f $WGET ]; then
  exit 1
 fi
 
+# remove special characters with tr to protect unbound.conf
 $WGET -O $work_dir/yoyo_ad_servers "$list_addr" && \
 $CAT $work_dir/yoyo_ad_servers | \
+$TR -d '";$\\' | \
 while read line ; \
  do \
    $ECHO "local-zone: \"$line\" redirect" ;\
@@ -36,4 +39,4 @@ echo "Done."
 #  the unbound_ad_servers file:
 #
 #   include: $dst_dir/unbound_ad_servers
-#
\ No newline at end of file
+#

diff --git a/doc/Changelog b/doc/Changelog
index e6562e98c0a9592d41ab7f96da293979d84dac94..a4f6d873ca1fd273bab8ed519d61fae69375dbf0 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -12,6 +12,8 @@
          reported by X41 D-Sec.
        - Fix Out-of-Bounds Read in dname_valid(),
          reported by X41 D-Sec.
+       - Fix Config Injection in create_unbound_ad_servers.sh,
+         reported by X41 D-Sec.
 
 19 November 2019: Wouter
        - Fix CVE-2019-18934, shell execution in ipsecmod.