From 8644ac83446ced746cc232643974c4120bff5a6b Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Sat, 29 Apr 2017 13:55:40 +0100 Subject: [PATCH] make-secnet-sites: Don't allow setting new VPN-level props when restricted. Currently, one can say something like vpn thing renegotiate-time 1 location evil ## ... and if the VPN admin failed to set a value for `renegotiate-time' then everyone will spin their CPUs doing key exchange. Fix this lacuna. Now user input can only modify location and site properties. If the administrator didn't set a location-level `restrict-nets', then a user can do this, but obviously that can't make anything worse. Signed-off-by: Mark Wooding --- README.make-secnet-sites | 3 +++ make-secnet-sites | 11 +++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/README.make-secnet-sites b/README.make-secnet-sites index 9a528c1..cef4368 100644 --- a/README.make-secnet-sites +++ b/README.make-secnet-sites @@ -112,6 +112,9 @@ INPUT SYNTAX VPN, and location properties which are already defined. (Assigning new properties is permitted.) + * It is not permitted to define new VPN-level + properties. + Finally, the properties. If a property has already been defined on an item, then it is an diff --git a/make-secnet-sites b/make-secnet-sites index b66f950..5f271e3 100755 --- a/make-secnet-sites +++ b/make-secnet-sites @@ -380,13 +380,16 @@ def pline(i,allow_include=False): current=nl obstack.append(current) return [i] - if current.allow_properties.has_key(keyword): - set_property(current,w) - return [i] - else: + if not current.allow_properties.has_key(keyword): complain("Property %s not allowed at %s level"% (keyword,current.type)) return [] + elif current.depth == vpnlevel.depth < allow_defs: + complain("Not allowed to set VPN properties here") + return [] + else: + set_property(current,w) + return [i] complain("unknown keyword '%s'"%(keyword)) -- 2.30.2