(Includes partial revert of 8107ee642f9929e7e656fc52759816b51fbaef90.) - feat(resume): add device used for resume - fix(dracut): remove trailing null characters from SBATs when building UKIs - fix(network-legacy): replace `echo` writes with `printf` to prevent injection via DHCP - fix(iscsi): replace `echo` writes with `printf` to prevent variable injection - fix(network): warn on suspicious shell metacharacters in hostname file - fix(base): escape arguments in initqueue hook script generation - revert: "feat(i18n): pull 'drm' or 'simpledrm' module unless excluded" Resolves: RHEL-119785,RHEL-140458,RHEL-170858,RHEL-178488
47 lines
1.8 KiB
Diff
47 lines
1.8 KiB
Diff
From 8823fab4f32315e5e7c376116954b9f84b2576dd Mon Sep 17 00:00:00 2001
|
|
From: Pavel Valena <pvalena@redhat.com>
|
|
Date: Tue, 12 May 2026 03:25:20 +0200
|
|
Subject: [PATCH] fix(network): warn on suspicious shell metacharacters in
|
|
hostname file
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
setup_net() sources /tmp/net.$netif.hostname as shell, which is written
|
|
by dhclient-script.sh or ifup.sh. Add a defensive check that warns if
|
|
the file contains shell metacharacters ($, `, ;, &, |, () that should
|
|
never appear in a legitimate hostname, indicating possible DHCP-based
|
|
command injection attempts.
|
|
|
|
The file is still sourced for compatibility — the writer-side fix
|
|
(printf '%q') already prevents execution of injected content.
|
|
|
|
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
|
|
|
Related: RHEL-170858
|
|
---
|
|
modules.d/40network/net-lib.sh | 9 +++++++--
|
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/modules.d/40network/net-lib.sh b/modules.d/40network/net-lib.sh
|
|
index a294a390..03be4c6d 100755
|
|
--- a/modules.d/40network/net-lib.sh
|
|
+++ b/modules.d/40network/net-lib.sh
|
|
@@ -127,8 +127,13 @@ setup_net() {
|
|
[ -e "/tmp/net.ifaces" ] && read -r IFACES < /tmp/net.ifaces
|
|
[ -z "$IFACES" ] && IFACES="$netif"
|
|
# run the scripts written by ifup
|
|
- # shellcheck disable=SC1090
|
|
- [ -e /tmp/net."$netif".hostname ] && . /tmp/net."$netif".hostname
|
|
+ if [ -e /tmp/net."$netif".hostname ]; then
|
|
+ if grep -qE '[$`;&|(]' /tmp/net."$netif".hostname 2> /dev/null; then
|
|
+ warn "setup_net $netif: /tmp/net.$netif.hostname contains suspicious shell metacharacters"
|
|
+ fi
|
|
+ # shellcheck disable=SC1090
|
|
+ . /tmp/net."$netif".hostname
|
|
+ fi
|
|
# shellcheck disable=SC1090
|
|
[ -e /tmp/net."$netif".override ] && . /tmp/net."$netif".override
|
|
# shellcheck disable=SC1090
|
|
|