nixos/wireless: correctly handle secrets containing &

In the replacement arg of gsub() the & symbol is a special character
that need to be escaped. To avoid this, and further issues due to the
variable name possibly being interpreted as a regex, we do a normal
substring replacement.

This fixes issues #279803.

2 files changed, 10 insertions, 3 deletions

diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix
index c9dd1d1b0f01f..ae2e19c12698e 100644
--- a/nixos/modules/services/networking/wpa_supplicant.nix
+++ b/nixos/modules/services/networking/wpa_supplicant.nix
@@ -127,8 +127,12 @@ let
         # substitute environment variables
         if [ -f "${configFile}" ]; then
           ${pkgs.gawk}/bin/awk '{
-            for(varname in ENVIRON)
-              gsub("@"varname"@", ENVIRON[varname])
+            for(varname in ENVIRON) {
+              find = "@"varname"@"
+              repl = ENVIRON[varname]
+              if (i = index($0, find))
+                $0 = substr($0, 1, i-1) repl substr($0, i+length(find))
+            }
             print
           }' "${configFile}" > "${finalConfig}"
         else
diff --git a/nixos/tests/wpa_supplicant.nix b/nixos/tests/wpa_supplicant.nix
index 8c701ca7d5f71..76c00368986af 100644
--- a/nixos/tests/wpa_supplicant.nix
+++ b/nixos/tests/wpa_supplicant.nix
@@ -102,13 +102,15 @@ import ./make-test-python.nix ({ pkgs, lib, ...}:
           test2.psk = "@PSK_SPECIAL@";            # should be replaced
           test3.psk = "@PSK_MISSING@";            # should not be replaced
           test4.psk = "P@ssowrdWithSome@tSymbol"; # should not be replaced
+          test5.psk = "@PSK_AWK_REGEX@";          # should be replaced
         };
 
         # secrets
         environmentFile = pkgs.writeText "wpa-secrets" ''
           PSK_VALID="S0m3BadP4ssw0rd";
           # taken from https://github.com/minimaxir/big-list-of-naughty-strings
-          PSK_SPECIAL=",./;'[]\-= <>?:\"{}|_+ !@#$%^\&*()`~";
+          PSK_SPECIAL=",./;'[]\/\-= <>?:\"{}|_+ !@#$%^&*()`~";
+          PSK_AWK_REGEX="PassowrdWith&symbol";
         '';
       };
     };
@@ -171,6 +173,7 @@ import ./make-test-python.nix ({ pkgs, lib, ...}:
           basic.fail(f"grep -q @PSK_SPECIAL@ {config_file}")
           basic.succeed(f"grep -q @PSK_MISSING@ {config_file}")
           basic.succeed(f"grep -q P@ssowrdWithSome@tSymbol {config_file}")
+          basic.succeed(f"grep -q 'PassowrdWith&symbol' {config_file}")
 
       with subtest("WPA2 fallbacks have been generated"):
           assert int(basic.succeed(f"grep -c sae-only {config_file}")) == 1