dracut/SOURCES/0241.patch

From 4107f122969044e3e6f2e976cf8294dd9d91a1ee Mon Sep 17 00:00:00 2001
From: Pavel Valena <pvalena@redhat.com>
Date: Tue, 12 May 2026 03:25:20 +0200
Subject: [PATCH] fix(network): warn on suspicious shell metacharacters in
 hostname file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

setup_net() sources /tmp/net.$netif.hostname as shell, which is written
by dhclient-script.sh or ifup.sh. Add a defensive check that warns if
the file contains shell metacharacters ($, `, ;, &, |, () that should
never appear in a legitimate hostname, indicating possible DHCP-based
command injection attempts.

The file is still sourced for compatibility — the writer-side fix
(printf '%q') already prevents execution of injected content.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Related: RHEL-170847
---
 modules.d/40network/net-lib.sh | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/modules.d/40network/net-lib.sh b/modules.d/40network/net-lib.sh
index 128d6343..bbfb0a9f 100755
--- a/modules.d/40network/net-lib.sh
+++ b/modules.d/40network/net-lib.sh
@@ -117,9 +117,16 @@ setup_net() {
     [ -e "/tmp/net.ifaces" ] && read IFACES < /tmp/net.ifaces
     [ -z "$IFACES" ] && IFACES="$netif"
     # run the scripts written by ifup
-    [ -e /tmp/net.$netif.hostname ]      && . /tmp/net.$netif.hostname
-    [ -e /tmp/net.$netif.override ]      && . /tmp/net.$netif.override
-    [ -e /tmp/dhclient.$netif.dhcpopts ] && . /tmp/dhclient.$netif.dhcpopts
+    if [ -e /tmp/net."$netif".hostname ]; then
+        if grep -qE '[$`;&|(]' /tmp/net."$netif".hostname 2>/dev/null; then
+            warn "setup_net $netif: /tmp/net.$netif.hostname contains suspicious shell metacharacters"
+        fi
+        # shellcheck disable=SC1090
+        . /tmp/net."$netif".hostname
+    fi
+    [ -e /tmp/net."$netif".override ] && . /tmp/net."$netif".override
+    [ -e /tmp/dhclient."$netif".dhcpopts ] && . /tmp/dhclient."$netif".dhcpopts
+
     # set up resolv.conf
     [ -e /tmp/net.$netif.resolv.conf ] && \
         awk '!array[$0]++' /tmp/net.$netif.resolv.conf > /etc/resolv.conf