Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 20 May 2026 19:36:43 +0000
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 6f5674b97fd6 - stable/15 - bsdconfig: Make sure that SSID names are properly escaped
Message-ID:  <6a0e0d4b.367e1.369dbf44@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch stable/15 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=6f5674b97fd6d5c0c6933a8d8579b0f93c307362

commit 6f5674b97fd6d5c0c6933a8d8579b0f93c307362
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-05-12 14:16:46 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-05-20 19:36:01 +0000

    bsdconfig: Make sure that SSID names are properly escaped
    
    The f_menu_wpa_scan_results() function returns a list of networks
    discovered by a scan.  The untrusted network names are evaluated in
    f_dialog_menu_wireless_edit.  The quoting applied in
    f_menu_wpa_scan_results() protects against evaluation of something like
    "$(whoami)" but one can add single quotes to defeat that.
    
    Pass the SSID names through f_shell_escape to work around this.  Escape
    single quotes in f_dialog_wireless_edit() and f_menu_wireless_configs()
    too for consistency.
    
    I note that this module doesn't seem to actually work, see e.g.,
    bugzilla PR 229883.
    
    Approved by:    so
    Security:       FreeBSD-SA-26:23.bsdinstall
    Security:       CVE-2026-45255
    Reported by:    Austin Ralls
    Reviewed by:    dteske, des
    Differential Revision:  https://reviews.freebsd.org/D56974
---
 usr.sbin/bsdconfig/share/media/wlan.subr | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/usr.sbin/bsdconfig/share/media/wlan.subr b/usr.sbin/bsdconfig/share/media/wlan.subr
index 5847356d1925..5d271c403b3c 100644
--- a/usr.sbin/bsdconfig/share/media/wlan.subr
+++ b/usr.sbin/bsdconfig/share/media/wlan.subr
@@ -813,6 +813,7 @@ f_dialog_wireless_edit()
 		[ $nmatches -le ${#DIALOG_MENU_TAGS} ] || break
 		f_substr -v tag "$DIALOG_MENU_TAGS" $nmatches 1
 
+		f_shell_escape "$wssid" wssid
 		f_wireless_describe WIRELESS_$n help
 		menu_list1="$menu_list1
 			'$tag $wssid' '$wbssid' '$help'
@@ -1076,6 +1077,7 @@ f_menu_wireless_configs()
 	while [ $n -lt $nunique ]; do
 		n=$(( $n + 1 ))
 		menuitem_$n get ssid ssid
+		f_shell_escape "$ssid" ssid
 
 		menuitem_$n get nconfigs nconfigs
 		desc="$nconfigs $msg_configured_lc"
@@ -1184,6 +1186,7 @@ f_menu_wpa_scan_results()
 	while [ $n -lt $nunique ]; do
 		n=$(( $n + 1 ))
 		menuitem_$n get ssid ssid
+		f_shell_escape "$ssid" ssid
 
 		desc=
 		if [ "$DIALOG_MENU_WLAN_SHOW_ALL" ]; then
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a0e0d4b.367e1.369dbf44>