|
 |
fa246d |
From dbce20e28a898c394274109904d471d84cfa7fea Mon Sep 17 00:00:00 2001
|
|
|
fa246d |
From: Vrinda Punj <vpunj@redhat.com>
|
|
|
fa246d |
Date: Fri, 13 Nov 2020 10:40:51 -0500
|
|
|
fa246d |
Subject: [PATCH 65/66] fix(rich): non-printable characters removed from rich
|
|
|
fa246d |
rules
|
|
|
fa246d |
|
|
|
fa246d |
Fixes: rhbz 1596304
|
|
|
fa246d |
Fixes: #480
|
|
|
fa246d |
|
|
|
fa246d |
(cherry picked from commit ac5960856991a00ddf7a558e31fd3248c8279a1f)
|
|
|
fa246d |
(cherry picked from commit a55416ea5f79f1a7cb1a97b6ee39524a542a8663)
|
|
|
fa246d |
---
|
|
|
fa246d |
src/firewall/core/rich.py | 2 ++
|
|
|
fa246d |
src/firewall/functions.py | 9 ++++++++-
|
|
|
fa246d |
src/tests/regression/regression.at | 1 +
|
|
|
fa246d |
src/tests/regression/rhbz1596304.at | 23 +++++++++++++++++++++++
|
|
|
fa246d |
4 files changed, 34 insertions(+), 1 deletion(-)
|
|
|
fa246d |
create mode 100644 src/tests/regression/rhbz1596304.at
|
|
|
fa246d |
|
|
|
fa246d |
diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
|
|
|
fa246d |
index 86c0c998a478..03bc194c2b28 100644
|
|
|
fa246d |
--- a/src/firewall/core/rich.py
|
|
|
fa246d |
+++ b/src/firewall/core/rich.py
|
|
|
fa246d |
@@ -307,6 +307,8 @@ class Rich_Rule(object):
|
|
|
fa246d |
if not rule_str:
|
|
|
fa246d |
raise FirewallError(errors.INVALID_RULE, 'empty rule')
|
|
|
fa246d |
|
|
|
fa246d |
+ rule_str = functions.stripNonPrintableCharacters(rule_str)
|
|
|
fa246d |
+
|
|
|
fa246d |
self.priority = 0
|
|
|
fa246d |
self.family = None
|
|
|
fa246d |
self.source = None
|
|
|
fa246d |
diff --git a/src/firewall/functions.py b/src/firewall/functions.py
|
|
|
fa246d |
index 6af220619f17..d20b702e047e 100644
|
|
|
fa246d |
--- a/src/firewall/functions.py
|
|
|
fa246d |
+++ b/src/firewall/functions.py
|
|
|
fa246d |
@@ -27,7 +27,7 @@ __all__ = [ "PY2", "getPortID", "getPortRange", "portStr", "getServiceName",
|
|
|
fa246d |
"check_single_address", "check_mac", "uniqify", "ppid_of_pid",
|
|
|
fa246d |
"max_zone_name_len", "checkUser", "checkUid", "checkCommand",
|
|
|
fa246d |
"checkContext", "joinArgs", "splitArgs",
|
|
|
fa246d |
- "b2u", "u2b", "u2b_if_py2" ]
|
|
|
fa246d |
+ "b2u", "u2b", "u2b_if_py2", "stripNonPrintableCharacters"]
|
|
|
fa246d |
|
|
|
fa246d |
import socket
|
|
|
fa246d |
import os
|
|
|
fa246d |
@@ -42,6 +42,10 @@ from firewall.config import FIREWALLD_TEMPDIR, FIREWALLD_PIDFILE
|
|
|
fa246d |
|
|
|
fa246d |
PY2 = sys.version < '3'
|
|
|
fa246d |
|
|
|
fa246d |
+NOPRINT_TRANS_TABLE = {
|
|
|
fa246d |
+ i: None for i in range(0, sys.maxunicode + 1) if not chr(i).isprintable()
|
|
|
fa246d |
+}
|
|
|
fa246d |
+
|
|
|
fa246d |
def getPortID(port):
|
|
|
fa246d |
""" Check and Get port id from port string or port id using socket.getservbyname
|
|
|
fa246d |
|
|
|
fa246d |
@@ -226,6 +230,9 @@ def checkIPnMask(ip):
|
|
|
fa246d |
return False
|
|
|
fa246d |
return True
|
|
|
fa246d |
|
|
|
fa246d |
+def stripNonPrintableCharacters(rule_str):
|
|
|
fa246d |
+ return rule_str.translate(NOPRINT_TRANS_TABLE)
|
|
|
fa246d |
+
|
|
|
fa246d |
def checkIP6nMask(ip):
|
|
|
fa246d |
if "/" in ip:
|
|
|
fa246d |
addr = ip[:ip.index("/")]
|
|
|
fa246d |
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
|
|
|
fa246d |
index 65540840f50e..c1e8620ee700 100644
|
|
|
fa246d |
--- a/src/tests/regression/regression.at
|
|
|
fa246d |
+++ b/src/tests/regression/regression.at
|
|
|
fa246d |
@@ -35,3 +35,4 @@ m4_include([regression/rhbz1483921.at])
|
|
|
fa246d |
m4_include([regression/rhbz1541077.at])
|
|
|
fa246d |
m4_include([regression/rhbz1855140.at])
|
|
|
fa246d |
m4_include([regression/rhbz1871298.at])
|
|
|
fa246d |
+m4_include([regression/rhbz1596304.at])
|
|
|
fa246d |
diff --git a/src/tests/regression/rhbz1596304.at b/src/tests/regression/rhbz1596304.at
|
|
|
fa246d |
new file mode 100644
|
|
|
fa246d |
index 000000000000..98a33934e271
|
|
|
fa246d |
--- /dev/null
|
|
|
fa246d |
+++ b/src/tests/regression/rhbz1596304.at
|
|
|
fa246d |
@@ -0,0 +1,23 @@
|
|
|
fa246d |
+FWD_START_TEST([rich rules strip non-printable characters])
|
|
|
fa246d |
+AT_KEYWORDS(rich rhbz1596304)
|
|
|
fa246d |
+
|
|
|
fa246d |
+dnl source address contains a tab character
|
|
|
fa246d |
+FWD_CHECK([--permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="104.243.250.0/22 " port port=80 protocol=tcp accept'],0,ignore)
|
|
|
fa246d |
+FWD_RELOAD
|
|
|
fa246d |
+FWD_CHECK([--list-all | TRIM_WHITESPACE], 0, [m4_strip([dnl
|
|
|
fa246d |
+ public
|
|
|
fa246d |
+ target: default
|
|
|
fa246d |
+ icmp-block-inversion: no
|
|
|
fa246d |
+ interfaces:
|
|
|
fa246d |
+ sources:
|
|
|
fa246d |
+ services: cockpit dhcpv6-client ssh
|
|
|
fa246d |
+ ports:
|
|
|
fa246d |
+ protocols:
|
|
|
fa246d |
+ masquerade: no
|
|
|
fa246d |
+ forward-ports:
|
|
|
fa246d |
+ source-ports:
|
|
|
fa246d |
+ icmp-blocks:
|
|
|
fa246d |
+ rich rules:
|
|
|
fa246d |
+ rule family="ipv4" source address="104.243.250.0/22" port port="80" protocol="tcp" accept
|
|
|
fa246d |
+ ])])
|
|
|
fa246d |
+FWD_END_TEST
|
|
|
fa246d |
--
|
|
|
fa246d |
2.28.0
|
|
|
fa246d |
|