From: Selva Nair <selva.nair@gmail.com>
Date: Mon, 3 Nov 2025 14:59:56 +0000 (+0100)
Subject: openvpnserv: Disallow stdin as config unless user is authorized
X-Git-Tag: v2.7_rc2~43
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a3d8c40260930ab82ca5d9d71796a7763e74a03d;p=thirdparty%2Fopenvpn.git

openvpnserv: Disallow stdin as config unless user is authorized

Reported by: <stephan@srlabs.de>

Change-Id: I356faeebfade1eed9b40d6700b13621c357ec5ac
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1343
Message-Id: <20251103150002.23187-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34156.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpnserv/validate.c b/src/openvpnserv/validate.c
index 2187fb58b..ddaa381a5 100644
--- a/src/openvpnserv/validate.c
+++ b/src/openvpnserv/validate.c
@@ -68,6 +68,11 @@ CheckConfigPath(const WCHAR *workdir, const WCHAR *fname, const settings_t *s)
     const WCHAR *config_file = NULL;
     WCHAR config_dir[MAX_PATH];
 
+    /* fname = stdin is special: do not treat it as a relative path */
+    if (wcscmp(fname, L"stdin") == 0)
+    {
+        return FALSE;
+    }
     /* convert fname to full path */
     if (PathIsRelativeW(fname))
     {