Opened 5 years ago

Last modified 8 months ago

#551 new Bug / Defect

--ipchange: openvpn does not pass parameters correctly

Reported by: debbie10t Owned by:
Priority: minor Milestone:
Component: Generic / unclassified Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: ipchange
Cc: David Sommerseth, plaisthos, tincantech

Description

According to the OpenVPN Manual:

--ipchange

When cmd is executed two arguments are appended after any arguments specified in cmd , as follows:

cmd ip_address port_number

However, this is not the case ...

Client.conf (default more or less):

ipchange 'ipchange.sh TEST'

ipchange.sh:

echo $(date)
echo P1: $1
echo P2: $2
echo P3: $3

Client log:

Thu May 7 22:37:01 BST 2015
P1: TEST
P2: [AF_INET]172.17.2.222 37323
P3: 

The string [AF_INET] and parameters ip_address and port_number are passed as one long string to one positional parameter.

Change History (4)

comment:1 Changed 5 years ago by Gert Döring

Cc: David Sommerseth plaisthos added

Indeed... regression, most likely as consequence of moving away from system() and always calling exec() here (and quite likely broken since the introduction of "script-security system", hundreds of years ago). Not trivial to fix, though, as the formatted string is used in different places.

Besides the "two parameters" thing, the [INET] bit is also slightly annoying - which is a 2.4 regression.

Could you test whether this is working in 2.3.x? (Your bug report says "git master") - the removal of system() was done in commit 3cb9f1a62b4a84dbf4acd1957c900a5b06fd6ac2, which is part of 2.3_rc1 - so 2.3.x should also be broken in this regard.

Copying in dazo and plaisthos, as you're to blame :-) - but I wonder what we want to do about it, really...

comment:2 Changed 5 years ago by debbie10t

Initial test done with:

OpenVPN 2.3_git [git:master/23b6ba6378bf3a3f+] i686-pc-linux-gnu 
[SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH] [IPv6] built on May  3 2015

Dated: 2015.05.03 @15:01

More tests:

Linux

OpenVPN 2.3.6 i686-pc-linux-gnu 
[SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec  2 2014

Client config:

script-security 3
ipchange "ipchange.sh TEST"

ipchange.sh:

echo $(date)
echo P1: $1
echo P2: $2
echo P3: $3
echo P4: $4

Log:

Sun May 10 12:18:17 BST 2015
P1: TEST
P2: [AF_INET]88.105.52.9
P3: [AF_INET]37323
P4:

WXP (i003)

OpenVPN 2.3.6 i686-w64-mingw32 
[SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec  1 2014

Client config:

script-security 3
ipchange "IPCHANGE.bat TEST"

IPCHANGE.bat:

set log=IPCHANGE.log

date /t > %log%
echo P1: %1 >> %log% 
echo P2: %2 >> %log%
echo P3: %3 >> %log%
echo P4: %4 >> %log%

IPCHANGE.log:

10/05/2015 
P1: TEST  
P2: [AF_INET]88.105.52.9 
P3: [AF_INET]37323 
P4:  

Result is actually correct .. two parms ip_address and port_number but with the slightly annoying [AF_INET] still present.

comment:3 Changed 5 years ago by Gert Döring

Thanks for the detailed test. This is indeed surprising, I would have sworn that it was a) broken in 2.3 as well (it is not) and that b) the [INET] thingie is new (it was even worse in 2.3...)

Now I'm getting courious how this might have looked in 2.2, before we started meddling with things :-)

comment:4 Changed 8 months ago by tincantech

Cc: tincantech added

More digging to do ..

Note: See TracTickets for help on using tickets.