cli: support backslash escaping in passwd-file

System Internals / NetworkManager - Thomas Haller [] - 13 May 2020 08:28 UTC

Rework parsing of nmcli's passwd-file.

1) support backslash escaping of secrets.

- only the secret can be backslash escaped, the property and setting name cannot.

This is a change in behavior for passwd-files with secrets that contain a backslash.

2) strip the white space around the secret. This is a change in behavior for secrets that had leading or trailing spaces. Note that you can backslash escape spaces in secrets.

3) strip white space around the key. This is also a change in behavior, but such keys would never have been valid previously (or the caller would have performed the same kind of stripping).

4) accept '=' as alternative delimiter beside ':'. The ':' feels really odd and unexpected. Also accept '='. This is a change in behavior if keys would contain '=', which they really shouldn't.

5) reject non-UTF-8 secrets and keys. For keys, that is not an issue, because such keys were never valid. For secrets, it probably didn't work anyway to specify non-UTF-8 secrets, because most (if not all) secrets are transmitted via D-Bus as strings where arbitrary binary is not allowed.

6) ignore empty lines and lines starting with '#'.

7) ensure we don't leak any secrets in memory.

1) to 4) are changes in behavior. 3) and 4) seem less severe, as they only concern unusual keys, which really shouldn't be used (although, VPN secrets can have almost arbitrary names *sigh*). 1) and 2) is more dangerous, as it changes behavior for secrets that contain backslashes or leading/trailing white space.

2285dd38e cli: support backslash escaping in passwd-file
clients/cli/connections.c | 152 +++++++++++++++++++++++++++++++++++-----------
1 file changed, 118 insertions(+), 34 deletions(-)


  • Share