[Openvpn-commits] SF.net Git: OpenVPN with experimental and new features - which requires a lot of testing branch, beta/2.3, updated. v2.3_beta1-9-g78a6afe

[<ope...@li...>]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenVPN with experimental and new features - which requires a lot of testing".

The branch, beta/2.3 has been updated
       via  78a6afee9bef68c9006d3e2477b137028c508b96 (commit)
       via  3cb9f1a62b4a84dbf4acd1957c900a5b06fd6ac2 (commit)
      from  d442b8dbc4230e4252a63fbd57f149ef3fa090c8 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 78a6afee9bef68c9006d3e2477b137028c508b96
Author: David Sommerseth <da...@re...>
Date:   Wed Oct 31 14:01:23 2012 +0100

    Preparing for v2.3_rc1
    
    Signed-off-by: David Sommerseth <da...@re...>

commit 3cb9f1a62b4a84dbf4acd1957c900a5b06fd6ac2
Author: David Sommerseth <da...@re...>
Date:   Thu Oct 25 14:22:30 2012 +0200

    Remove the support for using system() when executing external programs or scripts
    
    This patch removes the support for the system() call, and enforces the
    usage of execve() on the *nix platform and CreateProcessW() on Windows.
    This is to enhance the overall security when calling external scripts.
    Using system() is prone to shell expansions, which may lead to security
    breaches.  Which is also why the execve() approach has been the default
    since commit a82813527551f0e79c6d6ed5a9c1162e3c171bcf which
    re-introduced the system() in Nov. 2008.
    
    After having asked on the mailing list and checked around on the IRC
    channels, the genereal consensus is that very few uses system() these
    days.
    
    The only annoyance I've been made aware of is that this will now
    require adding a full path to the script interpreter together with the
    script, and not just put in the script name alone.  But to just use the
    script name in Windows, you had to configure --script-security with the
    'system' flag earlier too.  So my conclusion is that it's better to add
    a full path to the script interpreter in Windows and raise the overal
    security with OpenVPN, than to continue to have a possible potentially
    risky OpenVPN configuration just to make life "easier" for Windows
    script users.
    
    Removal of the system() call, also solves a nasty bug related to the
    usage of putenv() on the *nix platforms.
    
    For more information please see:
    http://thread.gmane.org/gmane.network.openvpn.devel/7090
    https://community.openvpn.net/openvpn/ticket/228
    
    Trac-ticket: 228
    Signed-off-by: David Sommerseth <da...@re...>
    Acked-by: Gert Doering <ge...@gr...>
    Message-Id: <135...@us...>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/7114
    (cherry picked from commit 0563473601abfbf2142bfa0ca5b863c5aa7953a2)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog              |   19 +++++++
 doc/openvpn.8          |   48 ++++++++++++------
 src/openvpn/init.c     |    3 -
 src/openvpn/misc.c     |   98 +++++++------------------------------
 src/openvpn/misc.h     |    5 --
 src/openvpn/options.c  |   16 +------
 src/openvpn/platform.c |   27 +----------
 src/openvpn/platform.h |    4 +-
 src/openvpn/win32.c    |  127 +++++++++++++----------------------------------
 version.m4             |    2 +-
 10 files changed, 109 insertions(+), 240 deletions(-)


hooks/post-receive
-- 
OpenVPN with experimental and new features - which requires a lot of testing