Bug #16244: Gateway adress not trimed - pfSense - pfSense bugtracker

Custom queries

2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - Resolved/Closed
2.8.1 - All Open Bugs
2.8.1 - All Open Features
2.8.1 - All Open Issues
2.8.1 - All Open Regressions
2.8.1 - Feedback
2.8.1 - Needs Attention
2.8.1 - New/Confirmed
2.8.1 - Pull Requests
2.8.1 - Regressions affecting 2.8.0
2.8.1 - Resolved/Closed
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Target - All Closed Issues
25.07 Plus - All Closed Issues
25.07 Target - All Closed Issues
25.11 Plus - All Closed Issues
25.11 Plus - All Open Issues
25.11 Plus - Feedback Issues
25.11 Plus - Needs Attention/Work
25.11 Plus - New/Confirmed/In Progress Issues
25.11 Plus - Pull Request Review
25.11 Plus - Waiting on Merge
25.11 Target - All Closed Issues
25.11 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - CE Target Version (DO NOT EDIT)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #16244

open

Gateway adress not trimed

Added by Grischa Zengel 4 months ago. Updated 10 days ago.

Status:

New

Priority:

Very Low

Assignee:

Category:

Gateways

Target version:

Start date:

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Default

Affected Version:

2.8.0

Affected Architecture:

All

Description

After upgrading from 2.7.2 to 2.8.0 I got RPCXML errors.
On second pfsense I got:
/xmlrpc.php: The command '/usr/local/bin/dpinger -S -r 0 -i GWV6_WAN -B 2a02:::2 -p /var/run/dpinger_GWV6_WAN~2a02::2~2a02::1 .pid -u /var/run/dpinger_GWV6_WAN~2a02::2~2a02::1 .sock -C "/etc/rc.gateway_alarm" -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 2a02::1 >/dev/null' returned exit code '1', the output was ''

If you have a look you will see a space before file extensions.
I see two problems:
1. surround files names with "".
2. trim gateway addresses.

History
Notes
Property changes

Actions

Copy link

Updated by Grischa Zengel 4 months ago

        <gateway_item>
            <interface>wan</interface>
            <gateway>2a02::1 </gateway>
            <name>GWV6_WAN</name>
            <weight>1</weight>
            <ipprotocol>inet6</ipprotocol>
            <descr></descr>
            <gw_down_kill_states></gw_down_kill_states>
        </gateway_item>

Actions

Copy link

Updated by Kris Phillips 12 days ago

Grischa Zengel wrote in #note-1:

[...]

Hello,

If you edit your Gateway under System --> Routing --> Gateways, do you have a whitespace at the end of your IP address field?

Actions

Copy link

Updated by Grischa Zengel 11 days ago

Yes, look at XML you will see a space. It was added by an error in 2.7.2 and made problems after upgrade.
I think it is/was possible to inject commands because the gateway is used unmasked and file names are not put between "".

Actions

Copy link

Updated by Jim Pingle 10 days ago

Priority changed from High to Very Low

Grischa Zengel wrote in #note-3:

I think it is/was possible to inject commands because the gateway is used unmasked and file names are not put between "".

The last part isn't possible now or any time that recently, as the address is validated in various ways. Someone would have to find a way to set that gateway to a non-IP address value and the only way that is possible would be by hand-editing the configuration. If they can do that, there are many worse things they could do.

I can't create a gateway with a trailing space in any current version or even in CE 2.7.2, so either the mistake was made much earlier than that, or it was done via hand editing the configuration.

It wouldn't hurt to trim the gateway address here and escape that command parameter, but I'm not seeing any recent scenario that would make it necessary.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #16244

Gateway adress not trimed

Updated by Grischa Zengel 4 months ago

Updated by Kris Phillips 12 days ago

Updated by Grischa Zengel 11 days ago

Updated by Jim Pingle 10 days ago