summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--changes/feature_2053_sanitize-config1
-rw-r--r--pkg/requirements.pip1
-rw-r--r--src/leap/services/eip/eipconfig.py14
3 files changed, 12 insertions, 4 deletions
diff --git a/changes/feature_2053_sanitize-config b/changes/feature_2053_sanitize-config
new file mode 100644
index 00000000..12bd7541
--- /dev/null
+++ b/changes/feature_2053_sanitize-config
@@ -0,0 +1 @@
+ o Sanitize network-fetched content that is used to build openvpn command
diff --git a/pkg/requirements.pip b/pkg/requirements.pip
index ad06fd56..a225d0de 100644
--- a/pkg/requirements.pip
+++ b/pkg/requirements.pip
@@ -12,5 +12,6 @@ pyopenssl
keyring
python-dateutil
psutil
+ipaddr
leap.common>=0.2.1-dev
diff --git a/src/leap/services/eip/eipconfig.py b/src/leap/services/eip/eipconfig.py
index e6b93647..0a7d2b23 100644
--- a/src/leap/services/eip/eipconfig.py
+++ b/src/leap/services/eip/eipconfig.py
@@ -22,6 +22,8 @@ import logging
import os
import re
+import ipaddr
+
from leap.common.check import leap_assert, leap_assert_type
from leap.common.config.baseconfig import BaseConfig
from leap.config.providerconfig import ProviderConfig
@@ -36,7 +38,6 @@ class EIPConfig(BaseConfig):
"""
OPENVPN_ALLOWED_KEYS = ("auth", "cipher", "tls-cipher")
OPENVPN_CIPHERS_REGEX = re.compile("[A-Z0-9\-]+")
- IP_REGEX = re.compile("^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$")
def __init__(self):
BaseConfig.__init__(self)
@@ -91,9 +92,14 @@ class EIPConfig(BaseConfig):
index = 0
logger.warning("Provided an unknown gateway index %s, " +
"defaulting to 0")
- ip_addr = gateways[0]["ip_address"]
- if self.IP_REGEX.search(ip_addr):
- return ip_addr
+ ip_addr_str = gateways[0]["ip_address"]
+
+ try:
+ ipaddr.IPAddress(ip_addr_str)
+ return ip_addr_str
+ except ValueError:
+ logger.error("Invalid ip address in config: %s" % (ip_addr_str,))
+ return None
def get_client_cert_path(self,
providerconfig=None,