47 lines
1.8 KiB
Diff
47 lines
1.8 KiB
Diff
From 977f1498201973eb1420aa309cbee71c4aa9bf56 Mon Sep 17 00:00:00 2001
|
|
From: Pavel Valena <pvalena@redhat.com>
|
|
Date: Tue, 12 May 2026 03:25:20 +0200
|
|
Subject: [PATCH] fix(network): warn on suspicious shell metacharacters in
|
|
hostname file
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
setup_net() sources /tmp/net.$netif.hostname as shell, which is written
|
|
by dhclient-script.sh or ifup.sh. Add a defensive check that warns if
|
|
the file contains shell metacharacters ($, `, ;, &, |, () that should
|
|
never appear in a legitimate hostname, indicating possible DHCP-based
|
|
command injection attempts.
|
|
|
|
The file is still sourced for compatibility — the writer-side fix
|
|
(printf '%q') already prevents execution of injected content.
|
|
|
|
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
|
|
|
Related: RHEL-170857
|
|
---
|
|
modules.d/40network/net-lib.sh | 9 +++++++--
|
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/modules.d/40network/net-lib.sh b/modules.d/40network/net-lib.sh
|
|
index a294a390..7734c1f4 100755
|
|
--- a/modules.d/40network/net-lib.sh
|
|
+++ b/modules.d/40network/net-lib.sh
|
|
@@ -127,8 +127,13 @@ setup_net() {
|
|
[ -e "/tmp/net.ifaces" ] && read -r IFACES < /tmp/net.ifaces
|
|
[ -z "$IFACES" ] && IFACES="$netif"
|
|
# run the scripts written by ifup
|
|
- # shellcheck disable=SC1090
|
|
- [ -e /tmp/net."$netif".hostname ] && . /tmp/net."$netif".hostname
|
|
+ if [ -e /tmp/net."$netif".hostname ]; then
|
|
+ if grep -qE '[$`;&|(]' /tmp/net."$netif".hostname 2>/dev/null; then
|
|
+ warn "setup_net $netif: /tmp/net.$netif.hostname contains suspicious shell metacharacters"
|
|
+ fi
|
|
+ # shellcheck disable=SC1090
|
|
+ . /tmp/net."$netif".hostname
|
|
+ fi
|
|
# shellcheck disable=SC1090
|
|
[ -e /tmp/net."$netif".override ] && . /tmp/net."$netif".override
|
|
# shellcheck disable=SC1090
|
|
|