Since ipset-7.17-r1 we've used a short suffix for temp ipset names. But as pointed out in https://bugs.gentoo.org/908235#c4, the suffix chosen, '.t', causes misbehavior when that is used to grep for the existence of a set by that name, because the . is a regex wildcard. We either need to forbid . in suffixes, or add escaping when building a regex. There's some other implicit restrictions on the characters allowed in TEMP_SUFFIX, because we embed it in sed s/// commands and such. a / is legal in a set name, but would break our init script. So we should enforce restricting and/or sanitizing more characters than just ., but anything that we can't support correctly. We also probably should quote set names more thoroughly.
I'm working on a PR that addresses the primary issue plus various additional checks.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=efef1aaf36c98fa6ce64e492a52124d404ec2888 commit efef1aaf36c98fa6ce64e492a52124d404ec2888 Author: Hank Leininger <hlein@korelogic.com> AuthorDate: 2024-03-26 22:02:20 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-04-30 06:37:49 +0000 net-firewall/ipset: enforce safe chars in set names & suffix Signed-off-by: Hank Leininger <hlein@korelogic.com> Closes: https://bugs.gentoo.org/927918 Closes: https://github.com/gentoo/gentoo/pull/35939 Signed-off-by: Sam James <sam@gentoo.org> net-firewall/ipset/files/ipset.initd-r7 | 127 ++++++++++++++++++++++++++++++++ net-firewall/ipset/ipset-7.21-r1.ebuild | 116 +++++++++++++++++++++++++++++ 2 files changed, 243 insertions(+)
