Home Explore Help
Sign In
Qubes
/
core-admin
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

firewall: pass untrusted values as keyword arguments

Use keyword arguments to pass untrusted arguments to make sure the
function parameter also have `untrusted_` prefix.
Suggested by @woju
Marek Marczykowski-Górecki 7 years ago
parent
0200fdadcb
commit
2b963be9c7
2 changed files with 9 additions and 4 deletions
Split View Show Diff Stats
  1. 2 1
      qubes/api/admin.py
  2. 7 3
      qubes/firewall.py

+ 2 - 1
qubes/api/admin.py
View File 

@@ -1010,7 +1010,8 @@ class QubesAdminAPI(qubes.api.AbstractQubesAPI):
 
         rules = []
 
         for untrusted_line in untrusted_payload.decode('ascii',
 
                 errors='strict').splitlines():
 
-            rule = qubes.firewall.Rule.from_api_string(untrusted_line)
 
+            rule = qubes.firewall.Rule.from_api_string(
 
+                untrusted_rule=untrusted_line)
 
             rules.append(rule)
 
 
         self.fire_event_for_permission(rules=rules)

+ 7 - 3
qubes/firewall.py
View File 

@@ -417,7 +417,7 @@ class Rule(qubes.PropertyHolder):
 
         #  option-specific validation
 
         kwargs = {}
 
         if untrusted_comment:
 
-            kwargs['comment'] = untrusted_comment
 
+            kwargs['comment'] = Comment(untrusted_value=untrusted_comment)
 
 
         for untrusted_option in untrusted_options.strip().split(' '):
 
             untrusted_key, untrusted_value = untrusted_option.split('=', 1)
 
@@ -425,9 +425,13 @@ class Rule(qubes.PropertyHolder):
 
                 raise ValueError('Option \'{}\' already set'.format(
 
                     untrusted_key))
 
             if untrusted_key in [str(prop) for prop in cls.property_list()]:
 
-                kwargs[untrusted_key] = untrusted_value
 
+                kwargs[untrusted_key] = cls.property_get_def(
 
+                    untrusted_key).type(untrusted_value=untrusted_value)
 
             elif untrusted_key in ('dst4', 'dst6', 'dstname'):
 
-                kwargs['dsthost'] = untrusted_value
 
+                if 'dsthost' in kwargs:
 
+                    raise ValueError('Option \'{}\' already set'.format(
 
+                        'dsthost'))
 
+                kwargs['dsthost'] = DstHost(untrusted_value=untrusted_value)
 
             else:
 
                 raise ValueError('Unknown firewall option')