diff options
author | rnhmjoj <rnhmjoj@inventati.org> | 2024-04-21 09:39:00 +0200 |
---|---|---|
committer | rnhmjoj <rnhmjoj@inventati.org> | 2024-04-21 09:58:26 +0200 |
commit | 89a1bde018ad10f723658a988e5aee0b78846b73 (patch) | |
tree | 204407bd5b776017ca1773610aff5ac0dd66cf53 | |
parent | e5e8e0688fdf52563317b940ec4aa802b3564bc1 (diff) |
nixos/wireless: correctly handle secrets containing &
In the replacement arg of gsub() the & symbol is a special character that need to be escaped. To avoid this, and further issues due to the variable name possibly being interpreted as a regex, we do a normal substring replacement. This fixes issues #279803.
-rw-r--r-- | nixos/modules/services/networking/wpa_supplicant.nix | 8 | ||||
-rw-r--r-- | nixos/tests/wpa_supplicant.nix | 5 |
2 files changed, 10 insertions, 3 deletions
diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index c9dd1d1b0f01f..ae2e19c12698e 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -127,8 +127,12 @@ let # substitute environment variables if [ -f "${configFile}" ]; then ${pkgs.gawk}/bin/awk '{ - for(varname in ENVIRON) - gsub("@"varname"@", ENVIRON[varname]) + for(varname in ENVIRON) { + find = "@"varname"@" + repl = ENVIRON[varname] + if (i = index($0, find)) + $0 = substr($0, 1, i-1) repl substr($0, i+length(find)) + } print }' "${configFile}" > "${finalConfig}" else diff --git a/nixos/tests/wpa_supplicant.nix b/nixos/tests/wpa_supplicant.nix index 8c701ca7d5f71..76c00368986af 100644 --- a/nixos/tests/wpa_supplicant.nix +++ b/nixos/tests/wpa_supplicant.nix @@ -102,13 +102,15 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: test2.psk = "@PSK_SPECIAL@"; # should be replaced test3.psk = "@PSK_MISSING@"; # should not be replaced test4.psk = "P@ssowrdWithSome@tSymbol"; # should not be replaced + test5.psk = "@PSK_AWK_REGEX@"; # should be replaced }; # secrets environmentFile = pkgs.writeText "wpa-secrets" '' PSK_VALID="S0m3BadP4ssw0rd"; # taken from https://github.com/minimaxir/big-list-of-naughty-strings - PSK_SPECIAL=",./;'[]\-= <>?:\"{}|_+ !@#$%^\&*()`~"; + PSK_SPECIAL=",./;'[]\/\-= <>?:\"{}|_+ !@#$%^&*()`~"; + PSK_AWK_REGEX="PassowrdWith&symbol"; ''; }; }; @@ -171,6 +173,7 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: basic.fail(f"grep -q @PSK_SPECIAL@ {config_file}") basic.succeed(f"grep -q @PSK_MISSING@ {config_file}") basic.succeed(f"grep -q P@ssowrdWithSome@tSymbol {config_file}") + basic.succeed(f"grep -q 'PassowrdWith&symbol' {config_file}") with subtest("WPA2 fallbacks have been generated"): assert int(basic.succeed(f"grep -c sae-only {config_file}")) == 1 |