[server] make IPT_INPUT_ACCESS validation more strict on allowed chars

server/fw_util_iptables.c

@@ -729,6 +729,17 @@ set_fw_chain_conf(const int type, const char * const conf_str)
                 tbuf[i++] = *ndx;
         }
         ndx++;
+        if(*ndx != '\0'
+                && *ndx != ' '
+                && *ndx != ','
+                && *ndx != '_'
+                && isalnum(*ndx) == 0)
+        {
+            log_msg(LOG_ERR, "[*] Custom Chain config parse error: "
+                "invalid character '%c' for chain type %i, "
+                "line: %s", *ndx, type, conf_str);
+            return 0;
+        }
     }
 
     /* Sanity check - j should be the number of chain fields
@@ -736,9 +747,9 @@ set_fw_chain_conf(const int type, const char * const conf_str)
     */
     if(j != FW_NUM_CHAIN_FIELDS)
     {
-        log_msg(LOG_ERR, "[*] Custom Chain config parse error.\n"
-            "Wrong number of fields for chain type %i\n"
-            "Line: %s", type, conf_str);
+        log_msg(LOG_ERR, "[*] Custom Chain config parse error: "
+            "wrong number of fields for chain type %i, "
+            "line: %s", type, conf_str);
         return 0;
     }
 

test/tests/basic_operations.pl

@@ -706,7 +706,7 @@
             "$fwknopdCmd -c $cf{'invalid_ipt_input_chain'} -a $cf{'def_access'} " .
             "-d $default_digest_file -p $default_pid_file $intf_str",
         'function' => \&generic_exec,
-        'positive_output_matches' => [qr/Wrong\snumber\sof\sfields/],
+        'positive_output_matches' => [qr/wrong\snumber\sof\sfields/i],
         'exec_err' => $YES,
         'fatal'    => $NO
     },
@@ -757,7 +757,7 @@
             "$fwknopdCmd -c $cf{'invalid_ipt_input_chain5'} -a $cf{'def_access'} " .
             "-d $default_digest_file -p $default_pid_file $intf_str",
         'function' => \&generic_exec,
-        'positive_output_matches' => [qr/invalid.*position/],
+        'positive_output_matches' => [qr/invalid\scharacter/],
         'exec_err' => $YES,
         'fatal'    => $NO
     },
@@ -770,7 +770,7 @@
             "$fwknopdCmd -c $cf{'invalid_ipt_input_chain6'} -a $cf{'def_access'} " .
             "-d $default_digest_file -p $default_pid_file $intf_str",
         'function' => \&generic_exec,
-        'positive_output_matches' => [qr/invalid.*position/],
+        'positive_output_matches' => [qr/invalid\scharacter/],
         'exec_err' => $YES,
         'fatal'    => $NO
     },