Opened 7 years ago

Closed 5 years ago

Last modified 5 years ago

#395 closed Bug / Defect (fixed)

Evaluating quoted path & file config statements syntax (Win32)

Reported by: debbie10t Owned by: Samuli Seppänen
Priority: minor Milestone: release 2.3.7
Component: Documentation Version: OpenVPN 2.3.3 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: windows
Cc:

Description

When evaluating "up" with a full path/file and an inserted parameter OpenVPN behaves like so:

(A.0) Using no path plus additional parameter:

up "BSTATUS.bat 1" Works

(A.1) double quotes and long names plus additional parameter:

up "c:\\program files\\openvpn\\config\\BSTATUS.bat 1"

Options error: --up script fails with
'c:\program files\openvpn\config\BSTATUS.bat 1': No such file or directory

(A.2) double quotes and short names plus additional parameter:

up "c:\\progra~1\\openvpn\\config\\BSTATUS.bat 1"

Options error: --up script fails with
'c:\progra~1\openvpn\config\BSTATUS.bat 1': No such file or directory

(A.3) single quote and long names plus additional parameter:

up 'c:\\program files\\openvpn\\config\\BSTATUS.bat 1'

Options error: --up script fails with
'c:\program': No such file or directory

(A.4) single quote and short names plus additional parameter:

up 'c:\\progra~1\\openvpn\\config\\BSTATUS.bat 1' Works

(B.1) double quote and long names plus additional parameter and slash:

up "c:/program files/openvpn/config/BSTATUS.bat 1"

Options error: --up script fails with
'c:/program': No such file or directory

(B.2) double quotes and short names plus additional parameter and slash:

up "c:/progra~1/openvpn/config/BSTATUS.bat 1" Works

(B.3) single quote and long names plus additional parameter and slash:

up 'c:/program files/openvpn/config/BSTATUS.bat 1'

Options error: --up script fails with
'c:/program': No such file or directory

(B.4) single quote and short names plus additional parameter and slash:

up 'c:/progra~1/openvpn/config/BSTATUS.bat 1' Works

(B.4i) single quote and short names plus additional parameter with mixed oblique and slash:

up 'c:\\progra~1/openvpn\\config/BSTATUS.bat 1' Works

The same is true for down, client-connect and client-disconnect.

As a side note, inserting a space between c and a (ca.crt):

ca "c:\\Program Files\\OpenVPN\\config\\Server1\\PKI\\c a.crt" WORKS !

Change History (12)

comment:1 Changed 6 years ago by Samuli Seppänen

Certainly a thorough review of how Windows paths escaping and quoting :). Is the current behavior something you would not expect?

comment:2 Changed 5 years ago by Samuli Seppänen

Keywords: windows added

Debbie10t: this explains how OpenVPN behaves according to your tests. I assume some of the behavior is not what you expected, meaning that there is a bug somewhere. Please let us know what OpenVPN should do differently and why, and we will consider fixing this. Otherwise we have to close this ticket as "notabug".

comment:3 Changed 5 years ago by debbie10t

OK close as "notabug"

With this comment:

  • All directives which reference a file (in a configuration file) which have parameters added to the command line string (in this case --up bstatus.bat 1 plus the openvpn appended parameters) do not support spaces in the name of the file.
  • Where as directives which reference a file (in a configuration file) which do not have parameters appended after the name of the file do support spaces in the file name. eg: --ca (see my initial report)

comment:4 Changed 5 years ago by Samuli Seppänen

Component: ConfigurationDocumentation
Owner: set to Samuli Seppänen
Status: newaccepted

Ok, smells like we could improve the documentation a bit. I will take care of it, then close this ticket. Thanks!

comment:5 Changed 5 years ago by Samuli Seppänen

Milestone: release 2.3.7

comment:6 Changed 5 years ago by Gert Döring

Script names with spaces in them *might* work if the space is escaped on its own

--up '/program\ files/myscript.bat 1'

but in general, openvpn has no reasonable chance here to recognize where the command name ends and where the arguments start - and that distinction need to be done to exec() the correct part of the command line. In other words: blanks in commands are not going to work really well on any operating system, not a particular problem to windows - it's worse on windows because of "C:\program files\" being there by default.

The fact that it works for --ca is easily explained - no argument splitting needs to be done there, all of the argument given is "the file name, period".

Samuli: be quick or bounce to 2.3.8, release coming up :-)

comment:7 in reply to:  6 Changed 5 years ago by debbie10t

Replying to cron2:

Script names with spaces in them *might* work if the space is escaped on its own

--up '/program\ files/myscript.bat 1'

Fair play .. I forgot to try that ..

Perhaps this particular bug-rep could be renamed something like "white space in config files" especially considering ..

Connection blocks:

### connection #1
   <connection>
    remote server.ip.add port
</connection>

Works!


### connection #2
   <connection>
   remote server.ip.add port
   </connection>

Throws:

2.3_git [20150526_1222]:

Options error: Unrecognized option or missing parameter(s) in [CONNECTION-OPTIONS]:2: /connection (2.3_git)
Use --help for more information.

Win236:

Options error: Unrecognized option or missing parameter(s) in [CONNECTION-OPTIONS]:2: /connection (2.3.6)
Use --help for more information.
Press any key to continue...

comment:8 Changed 5 years ago by Samuli Seppänen

Would this addition to the man-page (--script-security section) look ok to you both:

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index df16a7f..6797bfc 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -2007,6 +2007,11 @@ or
 As of OpenVPN v2.3, this flag is no longer accepted.  In most *nix environments the execve()
 approach has been used without any issues.

+Some directives such as \-\-up allow options to be passed to the external 
+script. In these cases make sure the script name does not contain any spaces or 
+the configuration parser will choke because it can't determine where the script 
+name ends and script options start.
+
 To run scripts in Windows in earlier OpenVPN
 versions you needed to either add a full path to the script interpreter which can parse the
 script or use the

If this looks ok, I will send a patch.

The connection block issue looks interesting: the config parser sees the linefeed, thinks there's another directive coming up and barfs when the next line (directive) has no content except spaces. I think this is a separate issue and we should fix it in the code if possible. Thoughts?

comment:9 Changed 5 years ago by Samuli Seppänen

My documentation fix proposal was pre-ACKed by cron2, so I'll be sending a patch soon. I'll also create a separate tickets for the connection block issue.

comment:10 Changed 5 years ago by debbie10t

In future I shall submit one bug per trac .. thanks for your help :)

comment:11 Changed 5 years ago by Gert Döring

Your patch has been applied to the master and release/2.3 branch.

commit 001384e2952b54089e889edbda3196283b21641d (master)
commit 9f1d4545049bb643bf214498709e2af001bbe106 (release/2.3)

Author: Samuli Seppänen
Date: Tue Jun 2 10:59:42 2015 +0300

Improve documentation in --script-security section of the man-page

comment:12 Changed 5 years ago by Samuli Seppänen

Resolution: fixed
Status: acceptedclosed

The connection block thing is now in ticket #569. I'll close this ticket as fixed.

Last edited 5 years ago by Samuli Seppänen (previous) (diff)
Note: See TracTickets for help on using tickets.