From dbce20e28a898c394274109904d471d84cfa7fea Mon Sep 17 00:00:00 2001 From: Vrinda Punj Date: Fri, 13 Nov 2020 10:40:51 -0500 Subject: [PATCH 65/66] fix(rich): non-printable characters removed from rich rules Fixes: rhbz 1596304 Fixes: #480 (cherry picked from commit ac5960856991a00ddf7a558e31fd3248c8279a1f) (cherry picked from commit a55416ea5f79f1a7cb1a97b6ee39524a542a8663) --- src/firewall/core/rich.py | 2 ++ src/firewall/functions.py | 9 ++++++++- src/tests/regression/regression.at | 1 + src/tests/regression/rhbz1596304.at | 23 +++++++++++++++++++++++ 4 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 src/tests/regression/rhbz1596304.at diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py index 86c0c998a478..03bc194c2b28 100644 --- a/src/firewall/core/rich.py +++ b/src/firewall/core/rich.py @@ -307,6 +307,8 @@ class Rich_Rule(object): if not rule_str: raise FirewallError(errors.INVALID_RULE, 'empty rule') + rule_str = functions.stripNonPrintableCharacters(rule_str) + self.priority = 0 self.family = None self.source = None diff --git a/src/firewall/functions.py b/src/firewall/functions.py index 6af220619f17..d20b702e047e 100644 --- a/src/firewall/functions.py +++ b/src/firewall/functions.py @@ -27,7 +27,7 @@ __all__ = [ "PY2", "getPortID", "getPortRange", "portStr", "getServiceName", "check_single_address", "check_mac", "uniqify", "ppid_of_pid", "max_zone_name_len", "checkUser", "checkUid", "checkCommand", "checkContext", "joinArgs", "splitArgs", - "b2u", "u2b", "u2b_if_py2" ] + "b2u", "u2b", "u2b_if_py2", "stripNonPrintableCharacters"] import socket import os @@ -42,6 +42,10 @@ from firewall.config import FIREWALLD_TEMPDIR, FIREWALLD_PIDFILE PY2 = sys.version < '3' +NOPRINT_TRANS_TABLE = { + i: None for i in range(0, sys.maxunicode + 1) if not chr(i).isprintable() +} + def getPortID(port): """ Check and Get port id from port string or port id using socket.getservbyname @@ -226,6 +230,9 @@ def checkIPnMask(ip): return False return True +def stripNonPrintableCharacters(rule_str): + return rule_str.translate(NOPRINT_TRANS_TABLE) + def checkIP6nMask(ip): if "/" in ip: addr = ip[:ip.index("/")] diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at index 65540840f50e..c1e8620ee700 100644 --- a/src/tests/regression/regression.at +++ b/src/tests/regression/regression.at @@ -35,3 +35,4 @@ m4_include([regression/rhbz1483921.at]) m4_include([regression/rhbz1541077.at]) m4_include([regression/rhbz1855140.at]) m4_include([regression/rhbz1871298.at]) +m4_include([regression/rhbz1596304.at]) diff --git a/src/tests/regression/rhbz1596304.at b/src/tests/regression/rhbz1596304.at new file mode 100644 index 000000000000..98a33934e271 --- /dev/null +++ b/src/tests/regression/rhbz1596304.at @@ -0,0 +1,23 @@ +FWD_START_TEST([rich rules strip non-printable characters]) +AT_KEYWORDS(rich rhbz1596304) + +dnl source address contains a tab character +FWD_CHECK([--permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="104.243.250.0/22 " port port=80 protocol=tcp accept'],0,ignore) +FWD_RELOAD +FWD_CHECK([--list-all | TRIM_WHITESPACE], 0, [m4_strip([dnl + public + target: default + icmp-block-inversion: no + interfaces: + sources: + services: cockpit dhcpv6-client ssh + ports: + protocols: + masquerade: no + forward-ports: + source-ports: + icmp-blocks: + rich rules: + rule family="ipv4" source address="104.243.250.0/22" port port="80" protocol="tcp" accept + ])]) +FWD_END_TEST -- 2.28.0