openvpn.git/src/openvpn/platform.c, branch release/2.3 Copy of the official OpenVPN git repo Remove dead code path and putenv functionality 2013-02-03T12:03:15+00:00 Arne Schwabe arne@rfc2549.org 2013-02-03T11:12:31+00:00 d84002f419abd3ac18fe906fa58d03c1a648a3fb The construct_name_value function call will always fail so this code path is never used. Since we now always have a valid environment in static_context->c2.es it is better to have a ASSERT(es) than to call this code patch. Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: 1359889951-3369-1-git-send-email-arne@rfc2549.org URL: http://article.gmane.org/gmane.network.openvpn.devel/7323 Signed-off-by: Gert Doering <gert@greenie.muc.de> 
The construct_name_value function call will always fail so this code path
is never used. Since we now always have a valid environment in
static_context->c2.es it is better to have a ASSERT(es) than to call this
code patch.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1359889951-3369-1-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/7323
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Remove the support for using system() when executing external programs or scripts 2012-10-31T12:59:04+00:00 David Sommerseth davids@redhat.com 2012-10-25T12:22:30+00:00 3cb9f1a62b4a84dbf4acd1957c900a5b06fd6ac2 This patch removes the support for the system() call, and enforces the usage of execve() on the *nix platform and CreateProcessW() on Windows. This is to enhance the overall security when calling external scripts. Using system() is prone to shell expansions, which may lead to security breaches. Which is also why the execve() approach has been the default since commit a82813527551f0e79c6d6ed5a9c1162e3c171bcf which re-introduced the system() in Nov. 2008. After having asked on the mailing list and checked around on the IRC channels, the genereal consensus is that very few uses system() these days. The only annoyance I've been made aware of is that this will now require adding a full path to the script interpreter together with the script, and not just put in the script name alone. But to just use the script name in Windows, you had to configure --script-security with the 'system' flag earlier too. So my conclusion is that it's better to add a full path to the script interpreter in Windows and raise the overal security with OpenVPN, than to continue to have a possible potentially risky OpenVPN configuration just to make life "easier" for Windows script users. Removal of the system() call, also solves a nasty bug related to the usage of putenv() on the *nix platforms. For more information please see: http://thread.gmane.org/gmane.network.openvpn.devel/7090 https://community.openvpn.net/openvpn/ticket/228 Trac-ticket: 228 Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1351539352-17371-1-git-send-email-dazo@users.sourceforge.net> URL: http://article.gmane.org/gmane.network.openvpn.devel/7114 (cherry picked from commit 0563473601abfbf2142bfa0ca5b863c5aa7953a2) 
This patch removes the support for the system() call, and enforces the
usage of execve() on the *nix platform and CreateProcessW() on Windows.
This is to enhance the overall security when calling external scripts.
Using system() is prone to shell expansions, which may lead to security
breaches.  Which is also why the execve() approach has been the default
since commit a82813527551f0e79c6d6ed5a9c1162e3c171bcf which
re-introduced the system() in Nov. 2008.

After having asked on the mailing list and checked around on the IRC
channels, the genereal consensus is that very few uses system() these
days.

The only annoyance I've been made aware of is that this will now
require adding a full path to the script interpreter together with the
script, and not just put in the script name alone.  But to just use the
script name in Windows, you had to configure --script-security with the
'system' flag earlier too.  So my conclusion is that it's better to add
a full path to the script interpreter in Windows and raise the overal
security with OpenVPN, than to continue to have a possible potentially
risky OpenVPN configuration just to make life "easier" for Windows
script users.

Removal of the system() call, also solves a nasty bug related to the
usage of putenv() on the *nix platforms.

For more information please see:
http://thread.gmane.org/gmane.network.openvpn.devel/7090
https://community.openvpn.net/openvpn/ticket/228

Trac-ticket: 228
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1351539352-17371-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7114
(cherry picked from commit 0563473601abfbf2142bfa0ca5b863c5aa7953a2)
build: move wrappers into platform module 2012-03-23T23:14:14+00:00 Alon Bar-Lev alon.barlev@gmail.com 2012-02-29T20:12:19+00:00 14a131ac1cfc95e5ba2518ff887d04c034aecc53 + Some fixups within the platform.c functions. - need to check environment set on Windows. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com> 
+ Some fixups within the platform.c functions.
- need to check environment set on Windows.

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>