Page MenuHomePhabricator

show config commands - breaks when using backslashes in values
Closed, ResolvedPublicBUG

Description

Consider the following:

Set a node value with a backslash character, eg on the interface:

set interfaces ethernet eth0 description "Testing\ Hello\ World"
commit; exit

Description works ok:

vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             172.16.16.134/24                  u/u  Testing\ Hello\ World 
lo               127.0.0.1/8                       u/u  
                 ::1/128

Breakage when dumping config commands:

vyos@vyos:~$ show config commands
Could not parse the config file: Failed to parse config: Illegal string character: \

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0-rc7
Why the issue appeared?
Will be filled on close

Event Timeline

yun created this task.Nov 13 2018, 1:02 AM
yun updated the task description. (Show Details)
syncer triaged this task as Low priority.Nov 13 2018, 3:49 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc8); removed VyOS 1.2 Crux.
arne added a subscriber: arne.Nov 26 2018, 2:33 PM

Is there any need to have backslashes in descriptions? Or, more generally: Is there any need to have non-ASCII characters in descriptions?

I am asking because we could either handle this in the setting part of the code (which could clear the backslashes and all other kinds of potentially unwanted special characters) or we handle this in the config printing code.

yun added a comment.EditedNov 26 2018, 2:53 PM
In T1001#26863, @arne wrote:

Is there any need to have backslashes in descriptions? Or, more generally: Is there any need to have non-ASCII characters in descriptions?
I am asking because we could either handle this in the setting part of the code (which could clear the backslashes and all other kinds of potentially unwanted special characters) or we handle this in the config printing code.

I gave this just as an example on how to reproduce it in an easy way. Setting it in the "description" field was maybe not the best example to showcase the real world issues with it.

I have a need for it when passing CLI arguments to OpenVPN (or maybe some other processes in the future?), via the openvpn-option fields:

set interfaces openvpn vtun1 openvpn-option '--pkcs11-id SafeNet,\ Inc./eToken/012345/SafeNet\ eToken\ 5110/ABCDEF'

so above works good but the only thing is that it breaks on v1.2.x with show config commands. It worked fine on 1.1.8.

I tried quoting the command as follows, but it's not allowed:

vyos@vyos# set interfaces openvpn vtun1 openvpn-option '--pkcs11-id "SafeNet, Inc./eToken/012345/SafeNet eToken 5110/ABCDEF"'

  Cannot use the double quote (") character in a value string
  Value validation failed
  Set failed

Or single quotes:

vyos@vyos# set interfaces openvpn vtun1 openvpn-option "--pkcs11-id 'SafeNet, Inc./eToken/012345/SafeNet eToken 5110/ABCDEF'"

  Cannot use the single quote (') character in a value string
  Value validation failed
  Set failed

If I don't escape the spaces, it will pass only the first word to openvpn as the argument, breaking the commandline.

arne added a comment.Nov 28 2018, 11:05 PM

The problem is fixed by the following pull request: https://github.com/vyos/vyos-1x/pull/60
Detailed description is added to the pull request.

dmbaturin closed this task as Resolved.Nov 29 2018, 12:56 AM
dmbaturin claimed this task.
dmbaturin added a subscriber: dmbaturin.

@arne I think it's a sensible workaround. It's an interesting design question whether we should escape backslashes in config output.

I've added the same fix to the commands pipe script. Another thing that, ahem, escaped me is that escape was also needed in the code that converts a config tree to commands. Should be also fixed now.

One possible issue is that if someone is using special characters in options that pass custom config lines to DHCPD etc. they may be affected, but I believe the possibility is theoretical. If anyone complains, we may try to find a way to escape backslashes only if they are not a part of a valid special character escape (\n, \t etc.).

yun added a comment.Feb 11 2019, 12:32 PM

Just to add extra info to this ticket, I had a openvpn-option that i wanted to add but it contained a single quote. I was not able to do this (in version 1.8.x this worked).

As a workaround I did the following:

openvpn-option '--config /config/auth/vpn/openvpn.conf'

And in /config/auth/vpn/openvpn.conf I added the configuration option containing the single quote:

pkcs11-id "SafeNet, Inc./eToken/012345/Yun's Token/ABCDEF"

Hope someone finds this information helpful incase they run into the same issue :)