From d2f4a4533af4aada9de7eedda9a244013f352668 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marta=20Marczykowska-G=C3=B3recka?= Date: Fri, 15 May 2020 16:01:18 +0200 Subject: [PATCH] Added a safeguard for invalid firewall rules Firewall rule cannot be missing value in declaration (e.g. 'dsthost=' is not a valid rule). fixes QubesOS/qubes-issues#5772 --- qubesadmin/tests/tools/qvm_firewall.py | 11 +++++++++++ qubesadmin/tools/qvm_firewall.py | 3 +++ 2 files changed, 14 insertions(+) diff --git a/qubesadmin/tests/tools/qvm_firewall.py b/qubesadmin/tests/tools/qvm_firewall.py index bb38350..1549501 100644 --- a/qubesadmin/tests/tools/qvm_firewall.py +++ b/qubesadmin/tests/tools/qvm_firewall.py @@ -96,6 +96,17 @@ class TC_00_RuleAction(qubesadmin.tests.QubesTestCase): qubesadmin.firewall.Rule( None, action='accept', dsthost='127.0.0.1/32')) + def test_007_none_errors(self): + ns = argparse.Namespace() + with self.assertRaises(argparse.ArgumentError): + self.action(None, ns, ['dsthost=', 'action=accept']) + with self.assertRaises(argparse.ArgumentError): + self.action(None, ns, ['dsthost=127.0.0.1', 'dstports=', + 'action=accept']) + with self.assertRaises(argparse.ArgumentError): + self.action(None, ns, ['dsthost=127.0.0.1', 'icmptype=', + 'action=accept']) + class TC_10_qvm_firewall(qubesadmin.tests.QubesTestCase): def setUp(self): diff --git a/qubesadmin/tools/qvm_firewall.py b/qubesadmin/tools/qvm_firewall.py index 15df6a1..979fd6b 100644 --- a/qubesadmin/tools/qvm_firewall.py +++ b/qubesadmin/tools/qvm_firewall.py @@ -48,6 +48,9 @@ class RuleAction(argparse.Action): allowed_opts = assumed_order + ['specialtarget', 'comment', 'expire'] kwargs = {} for opt in values: + if opt[-1] == '=': + raise argparse.ArgumentError( + None, 'invalid rule description: {}'.format(opt)) opt_elements = opt.split('=') if len(opt_elements) == 2: key, value = opt_elements