Menu
▾
▴
openvpn-devel
|
From: plaisthos (C. Review) <ge...@op...> - 2025-10-29 13:17:24
|
Attention is currently required from: flichtenheld.
Hello flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1326?usp=email
to review the following change.
Change subject: clean up environment variable handling in verify_user_pass_script
......................................................................
clean up environment variable handling in verify_user_pass_script
The username environment variable is already set by the
set_verify_user_pass_env function before the verify_user_pass_script
function is called, so this call is not doing anything but might erroneously
made people think that this needs to be cleaned up.
Also ensure that the password is clean from the env even in an error case.
Reported-by: Joshua Rogers <co...@jo...>
Found-by: ZeroPath (https://zeropath.com/)
Change-Id: I6c502508026c6b85bb092ada4d16d985b20dd41f
---
M src/openvpn/ssl_verify.c
1 file changed, 6 insertions(+), 5 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/26/1326/1
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index 04ef27e..993d22c 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -1329,7 +1329,7 @@
}
else
{
- setenv_str(session->opt->es, "username", up->username);
+ /* username env is already set by set_verify_user_pass_env */
setenv_str(session->opt->es, "password", up->password);
}
@@ -1377,10 +1377,6 @@
/* purge auth control filename (and file itself) for non-deferred returns */
key_state_rm_auth_control_files(&ks->script_auth);
}
- if (!session->opt->auth_user_pass_verify_script_via_file)
- {
- setenv_del(session->opt->es, "password");
- }
done:
if (tmp_file && strlen(tmp_file) > 0)
@@ -1389,6 +1385,11 @@
}
error:
+ if (!session->opt->auth_user_pass_verify_script_via_file)
+ {
+ setenv_del(session->opt->es, "password");
+ }
+
argv_free(&argv);
gc_free(&gc);
return retval;
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1326?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I6c502508026c6b85bb092ada4d16d985b20dd41f
Gerrit-Change-Number: 1326
Gerrit-PatchSet: 1
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: flichtenheld <fr...@li...>
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-30 19:43:58
|
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1326?usp=email ) Change subject: clean up environment variable handling in verify_user_pass_script ...................................................................... Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1326?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I6c502508026c6b85bb092ada4d16d985b20dd41f Gerrit-Change-Number: 1326 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Thu, 30 Oct 2025 19:43:48 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes |
|
From: Gert D. <ge...@gr...> - 2025-10-30 19:44:14
|
From: Arne Schwabe <ar...@rf...> The username environment variable is already set by the set_verify_user_pass_env function before the verify_user_pass_script function is called, so this call is not doing anything but might erroneously made people think that this needs to be cleaned up. Also ensure that the password is clean from the env even in an error case. Reported-by: Joshua Rogers <co...@jo...> Found-by: ZeroPath (https://zeropath.com/) Change-Id: I6c502508026c6b85bb092ada4d16d985b20dd41f Signed-off-by: Arne Schwabe <arn...@rf...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1326 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1326 This mail reflects revision 1 of this Change. Signed-off-by line for the author was added as per our policy. Acked-by according to Gerrit (reflected above): Gert Doering <ge...@gr...> diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 04ef27e..993d22c 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -1329,7 +1329,7 @@ } else { - setenv_str(session->opt->es, "username", up->username); + /* username env is already set by set_verify_user_pass_env */ setenv_str(session->opt->es, "password", up->password); } @@ -1377,10 +1377,6 @@ /* purge auth control filename (and file itself) for non-deferred returns */ key_state_rm_auth_control_files(&ks->script_auth); } - if (!session->opt->auth_user_pass_verify_script_via_file) - { - setenv_del(session->opt->es, "password"); - } done: if (tmp_file && strlen(tmp_file) > 0) @@ -1389,6 +1385,11 @@ } error: + if (!session->opt->auth_user_pass_verify_script_via_file) + { + setenv_del(session->opt->es, "password"); + } + argv_free(&argv); gc_free(&gc); return retval; |
|
From: Gert D. <ge...@gr...> - 2025-10-30 20:55:50
|
Stared at the code (verified the claims about "username is already
exported"), and ran this through the t_server tests which do need a
working script/plugin env. Works.
Your patch has been applied to the master branch.
commit 3fbba254b8645d2d1241e59f6ebd05e85ce05b52
Author: Arne Schwabe
Date: Thu Oct 30 20:43:56 2025 +0100
clean up environment variable handling in verify_user_pass_script
Signed-off-by: Arne Schwabe <arn...@rf...>
Acked-by: Gert Doering <ge...@gr...>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1326
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg34069.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-30 20:56:04
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1326?usp=email ) Change subject: clean up environment variable handling in verify_user_pass_script ...................................................................... clean up environment variable handling in verify_user_pass_script The username environment variable is already set by the set_verify_user_pass_env function before the verify_user_pass_script function is called, so this call is not doing anything but might erroneously made people think that this needs to be cleaned up. Also ensure that the password is clean from the env even in an error case. Reported-by: Joshua Rogers <co...@jo...> Found-by: ZeroPath (https://zeropath.com/) Change-Id: I6c502508026c6b85bb092ada4d16d985b20dd41f Signed-off-by: Arne Schwabe <arn...@rf...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1326 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg34069.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/ssl_verify.c 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 04ef27e..993d22c 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -1329,7 +1329,7 @@ } else { - setenv_str(session->opt->es, "username", up->username); + /* username env is already set by set_verify_user_pass_env */ setenv_str(session->opt->es, "password", up->password); } @@ -1377,10 +1377,6 @@ /* purge auth control filename (and file itself) for non-deferred returns */ key_state_rm_auth_control_files(&ks->script_auth); } - if (!session->opt->auth_user_pass_verify_script_via_file) - { - setenv_del(session->opt->es, "password"); - } done: if (tmp_file && strlen(tmp_file) > 0) @@ -1389,6 +1385,11 @@ } error: + if (!session->opt->auth_user_pass_verify_script_via_file) + { + setenv_del(session->opt->es, "password"); + } + argv_free(&argv); gc_free(&gc); return retval; -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1326?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I6c502508026c6b85bb092ada4d16d985b20dd41f Gerrit-Change-Number: 1326 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-30 20:56:05
|
cron2 has uploaded a new patch set (#2) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1326?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: clean up environment variable handling in verify_user_pass_script ...................................................................... clean up environment variable handling in verify_user_pass_script The username environment variable is already set by the set_verify_user_pass_env function before the verify_user_pass_script function is called, so this call is not doing anything but might erroneously made people think that this needs to be cleaned up. Also ensure that the password is clean from the env even in an error case. Reported-by: Joshua Rogers <co...@jo...> Found-by: ZeroPath (https://zeropath.com/) Change-Id: I6c502508026c6b85bb092ada4d16d985b20dd41f Signed-off-by: Arne Schwabe <arn...@rf...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1326 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg34069.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/ssl_verify.c 1 file changed, 6 insertions(+), 5 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/26/1326/2 diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 04ef27e..993d22c 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -1329,7 +1329,7 @@ } else { - setenv_str(session->opt->es, "username", up->username); + /* username env is already set by set_verify_user_pass_env */ setenv_str(session->opt->es, "password", up->password); } @@ -1377,10 +1377,6 @@ /* purge auth control filename (and file itself) for non-deferred returns */ key_state_rm_auth_control_files(&ks->script_auth); } - if (!session->opt->auth_user_pass_verify_script_via_file) - { - setenv_del(session->opt->es, "password"); - } done: if (tmp_file && strlen(tmp_file) > 0) @@ -1389,6 +1385,11 @@ } error: + if (!session->opt->auth_user_pass_verify_script_via_file) + { + setenv_del(session->opt->es, "password"); + } + argv_free(&argv); gc_free(&gc); return retval; -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1326?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I6c502508026c6b85bb092ada4d16d985b20dd41f Gerrit-Change-Number: 1326 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X