From 32848d7f693f44b63c561a3b6aed35f5c4d082e2 Mon Sep 17 00:00:00 2001 From: Erik Karlsson Date: Tue, 12 Mar 2024 17:52:02 +0100 Subject: [PATCH] bbfdm: fix shell injection in /etc/firewall.service Avoid use of eval (cherry picked from commit 53167364863ef4afc249045fe5dcb510e3ec164d) --- bbfdm/files/etc/firewall.service | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/bbfdm/files/etc/firewall.service b/bbfdm/files/etc/firewall.service index 100f54a3d..2d40291cd 100755 --- a/bbfdm/files/etc/firewall.service +++ b/bbfdm/files/etc/firewall.service @@ -7,7 +7,7 @@ log() { } exec_cmd() { - if ! eval "$*"; then + if ! "$@"; then log "Failed to run [$*]" echo "-1" return 0 @@ -73,7 +73,7 @@ add_iptable_rule() { fi if [ -z "${src_prefix}" ]; then - res=$(exec_cmd "iptables ${cmd} -m comment --comment IPtables_service_rule -j ${action}") + res=$(exec_cmd iptables -w ${cmd} -m comment --comment IPtables_service_rule -j "${action}") else #Add ipv4 sources if any src_list="" @@ -86,7 +86,7 @@ add_iptable_rule() { if [ -n "$src_list" ]; then src_list=$(echo "${src_list}" | sed "s/,$//") - res=$(exec_cmd "iptables -s $src_list ${cmd} -m comment --comment IPtables_service_rule -j ${action}") + res=$(exec_cmd iptables -w -s "$src_list" ${cmd} -m comment --comment IPtables_service_rule -j "${action}") fi fi fi @@ -97,7 +97,7 @@ add_iptable_rule() { fi if [ -z "${src_prefix}" ]; then - res=$(exec_cmd "ip6tables ${cmd} -m comment --comment IP6tables_service_rule -j ${action}") + res=$(exec_cmd ip6tables -w ${cmd} -m comment --comment IP6tables_service_rule -j "${action}") else #Add ipv6 sources if any src_list="" @@ -110,7 +110,7 @@ add_iptable_rule() { if [ -n "$src_list" ]; then src_list=$(echo "${src_list}" | sed "s/,$//") - res=$(exec_cmd "ip6tables -s $src_list ${cmd} -m comment --comment IP6tables_service_rule -j ${action}") + res=$(exec_cmd ip6tables -w -s "$src_list" ${cmd} -m comment --comment IP6tables_service_rule -j "${action}") fi fi fi