diff options
| -rw-r--r-- | changes/feature_2053_sanitize-config | 1 | ||||
| -rw-r--r-- | pkg/requirements.pip | 1 | ||||
| -rw-r--r-- | src/leap/services/eip/eipconfig.py | 14 |
3 files changed, 12 insertions, 4 deletions
diff --git a/changes/feature_2053_sanitize-config b/changes/feature_2053_sanitize-config new file mode 100644 index 00000000..12bd7541 --- /dev/null +++ b/changes/feature_2053_sanitize-config @@ -0,0 +1 @@ + o Sanitize network-fetched content that is used to build openvpn command diff --git a/pkg/requirements.pip b/pkg/requirements.pip index ad06fd56..a225d0de 100644 --- a/pkg/requirements.pip +++ b/pkg/requirements.pip @@ -12,5 +12,6 @@ pyopenssl keyring python-dateutil psutil +ipaddr leap.common>=0.2.1-dev diff --git a/src/leap/services/eip/eipconfig.py b/src/leap/services/eip/eipconfig.py index e6b93647..0a7d2b23 100644 --- a/src/leap/services/eip/eipconfig.py +++ b/src/leap/services/eip/eipconfig.py @@ -22,6 +22,8 @@ import logging import os import re +import ipaddr + from leap.common.check import leap_assert, leap_assert_type from leap.common.config.baseconfig import BaseConfig from leap.config.providerconfig import ProviderConfig @@ -36,7 +38,6 @@ class EIPConfig(BaseConfig): """ OPENVPN_ALLOWED_KEYS = ("auth", "cipher", "tls-cipher") OPENVPN_CIPHERS_REGEX = re.compile("[A-Z0-9\-]+") - IP_REGEX = re.compile("^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$") def __init__(self): BaseConfig.__init__(self) @@ -91,9 +92,14 @@ class EIPConfig(BaseConfig): index = 0 logger.warning("Provided an unknown gateway index %s, " + "defaulting to 0") - ip_addr = gateways[0]["ip_address"] - if self.IP_REGEX.search(ip_addr): - return ip_addr + ip_addr_str = gateways[0]["ip_address"] + + try: + ipaddr.IPAddress(ip_addr_str) + return ip_addr_str + except ValueError: + logger.error("Invalid ip address in config: %s" % (ip_addr_str,)) + return None def get_client_cert_path(self, providerconfig=None, |