Added a safeguard for invalid firewall rules

Firewall rule cannot be missing value in declaration
(e.g. 'dsthost=' is not a valid rule).

fixes QubesOS/qubes-issues#5772
This commit is contained in:
Marta Marczykowska-Górecka 2020-05-15 16:01:18 +02:00
parent 83b1fc6c58
commit d2f4a4533a
No known key found for this signature in database
GPG Key ID: 9A752C30B26FD04B
2 changed files with 14 additions and 0 deletions

View File

@ -96,6 +96,17 @@ class TC_00_RuleAction(qubesadmin.tests.QubesTestCase):
qubesadmin.firewall.Rule( qubesadmin.firewall.Rule(
None, action='accept', dsthost='127.0.0.1/32')) None, action='accept', dsthost='127.0.0.1/32'))
def test_007_none_errors(self):
ns = argparse.Namespace()
with self.assertRaises(argparse.ArgumentError):
self.action(None, ns, ['dsthost=', 'action=accept'])
with self.assertRaises(argparse.ArgumentError):
self.action(None, ns, ['dsthost=127.0.0.1', 'dstports=',
'action=accept'])
with self.assertRaises(argparse.ArgumentError):
self.action(None, ns, ['dsthost=127.0.0.1', 'icmptype=',
'action=accept'])
class TC_10_qvm_firewall(qubesadmin.tests.QubesTestCase): class TC_10_qvm_firewall(qubesadmin.tests.QubesTestCase):
def setUp(self): def setUp(self):

View File

@ -48,6 +48,9 @@ class RuleAction(argparse.Action):
allowed_opts = assumed_order + ['specialtarget', 'comment', 'expire'] allowed_opts = assumed_order + ['specialtarget', 'comment', 'expire']
kwargs = {} kwargs = {}
for opt in values: for opt in values:
if opt[-1] == '=':
raise argparse.ArgumentError(
None, 'invalid rule description: {}'.format(opt))
opt_elements = opt.split('=') opt_elements = opt.split('=')
if len(opt_elements) == 2: if len(opt_elements) == 2:
key, value = opt_elements key, value = opt_elements