When connecting a VPN using pptp-command perl script it dies due to a tainted variable. This will occurr whenever the macro DEF_GW is used in /etc/ppp/peers/* script files, in the upper comment section which pptp-command uses to modify routing. Reproducible: Always Steps to Reproduce: # pptp-command start Oficina The relevant lines of the control file are: ## Real IP obscured, ## a.b.c.d is the public ip address of the tunnel server. ## a.b.c.x is the ip address given to to ppp1 ## a.b.c.0 is the office network. /etc/ppp/peers/Oficina: # # PPTP Tunnel configuration for tunnel Oficina # Server IP: a.b.c.d # Route: del -host a.b.c.d dev TUNNEL_DEV # Route: add -host a.b.c.d gw DEF_GW # Route: add -net a.b.c.0/24 dev TUNNEL_DEV (Actual IP addresses changed) Actual Results: Command dies due to a taintedness error: Route: del -host 62.22.27.249 dev ppp0 added Insecure dependency in system while running with -T switch at /usr/sbin/pptp-command line 795. Expected Results: Route: del -host a.b.c.d dev ppp1 added Route: add -host a.b.c.d gw 192.168.100.254 added Route: add -net a.b.c.0/24 dev ppp1 added All routes added. Tunnel Oficina is active on ppp1. IP Address: a.b.c.x Installed /etc/resolv.conf.pptp as /etc/resolv.conf Tracing the script, lines 792 through 795 are: --- 792: $r = $1; 793: $r =~ s/TUNNEL_DEV/$if/og; 794: $r =~ s/DEF_GW/$gw/og; 795: die "route failed on $r" if system("/sbin/route $r"); --- $r must be the tainted var to die in 795. It's untainted in 792, so $if or $gw are tainted. Looking further up we see in lines 775-776: --- die "something screwy in your interface names: $if\n" if $if !~ /^($safe_re)$/o; $if = $1; --- So $if is untainted, but line 780 is --- my (undef, $gw, undef) = split ' ', (`/sbin/route -n`)[-1]; --- Which lead to a tainted $gw. Just a little regexp-laundering fixes the problem (I'am not a diff/patch expert, but this should be enough): ----- # diff pptp-command.original pptp-command 781a782,785 > if ($gw !~ /^($safe_re)$/o) { > die "WARNING: gateway '$gw' contains unsafe characters.\n"; > } > $gw = $1; -----
Even if I add your patch, still pptp-command will die. The only difference will be the error message... What I really want to know is why $gw is tainted. Could you please put a print "GATEWAY is $gw\n"; at line 781 and report here if the detection went OK or not?
the reported did not replied
$gw is tainted because it cames from the result of executing an external command, via split, in line 780. Taintedness isn't related to it's contents but to it's "data source", in my execution it contains the IP address. The way to untaint in perl is to use a substring in a regexp match, so is the << $gw = $1; >> what untaints it. The <<if ($gw !~ /^($safe_re)$/o) >> is just a sanity check in case somebody plays with the route commands and manages to stick something like ";rm -f /" in the middle of the output. If the scripts still dies maybe because my patch is bad, would it be ok if I just send the whole pptp-command script? Anyway, the fix is trivial, just following the source code backwards for some lines the taintedness problem is seen, but the problem is it only arises when you need the default gateway in the macros, which is my case as our VPN server is in a public address and serves public address in the same subnet too ( but behind the firewall ), the macro is not normally used in common usage scenarios, so it probably has gone undetected for a while ( I tried to report it to the pptp-command developers, but was unable to do it, so I tried the next more general fix, in gentoo, but it seems I don't generate correct reports ). I'm trying to reopen this, and try to monitor it better.
fixed in 1.5.0-r2 my appologies for not understanding from the first time. thanks!
