927918 – net-firewall/ipset init script TEMP_SUFFIX with unescaped . causes unintended regex matches

Bug 927918 - net-firewall/ipset init script TEMP_SUFFIX with unescaped . causes unintended regex matches

Summary: net-firewall/ipset init script TEMP_SUFFIX with unescaped . causes unintended...

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2024-03-26 20:50 UTC by Hank Leininger
Modified:	2024-03-26 22:08 UTC (History)
CC List:	3 users (show)

See Also:	908235 https://github.com/gentoo/gentoo/pull/35939
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hank Leininger 2024-03-26 20:50:05 UTC

Since ipset-7.17-r1 we've used a short suffix for temp ipset names.

But as pointed out in https://bugs.gentoo.org/908235#c4, the suffix chosen, '.t', causes misbehavior when that is used to grep for the existence of a set by that name, because the . is a regex wildcard.

We either need to forbid . in suffixes, or add escaping when building a regex.

There's some other implicit restrictions on the characters allowed in TEMP_SUFFIX, because we embed it in sed s/// commands and such. a / is legal in a set name, but would break our init script.

So we should enforce restricting and/or sanitizing more characters than just ., but anything that we can't support correctly.

We also probably should quote set names more thoroughly.

Comment 1 Hank Leininger 2024-03-26 21:49:52 UTC

I'm working on a PR that addresses the primary issue plus various additional checks.