Bug 1596304

Summary: strip or reject non-printable characters (e.g. carriage return) in --add-rich-rule
Product: Red Hat Enterprise Linux 8 Reporter: Ashraf <ashrafsayedgomaa>
Component: firewalldAssignee: Eric Garver <egarver>
Status: CLOSED ERRATA QA Contact: Štěpán Němec <snemec>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.2CC: ashrafsayedgomaa, egarver, rkhan, todoleza
Target Milestone: rcKeywords: Reopened, Triaged, Upstream
Target Release: 8.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: firewalld-0.8.2-6.el8 Doc Type: Bug Fix
Doc Text:
Cause: non printable characters were permitted in rich rules Consequence: displaying the rules may cause artifacts such as breaking the rule across two lines. Fix: strip non printable characters from the rich rule string Result: rich rules are now displayed correctly.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 14:58:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ashraf 2018-06-28 14:46:03 UTC
Description of problem:
when trying to add (white list) IP from external url, if the list in url is not correctly encoded, you will be totally blocked from the server, you won't be able to connect unless physically or through KVM platform. even ping won't work, or web, ftp, ssh, all services will be blocked

Version-Release number of selected component (if applicable):


How reproducible:

for i in $(curl "https://www.cloudflare.com/ips-v4"); do sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="'$i'" port port=80 protocol=tcp accept'; done

if (https://www.cloudflare.com/ips-v4) is a url not correctly encoded, you are blocked.

Steps to Reproduce:
1.
2.
3.

Actual results:
firewall-cmd --list-all
you will see incorrect or incomplete rule at the end of list


Expected results:
if IP is not correct, fail to add rule

Additional info:
even if you uninstalled firewalld 
yum remove firewalld -y
and then reinstalled it
yum install firewalld

once it is enabled you will be blocked away from server, must access it via KVM

Comment 2 Eric Garver 2018-10-11 19:46:04 UTC
Can you provide an example of the improperly formatted input so I an reproduce this? As of now I'm unable to reproduce the issue.

Comment 3 Eric Garver 2018-11-13 22:09:04 UTC
As per comment 2 there is insufficient data to reproduce this issue.

Comment 4 Ashraf 2018-11-28 10:06:16 UTC
http://atyourserver.com/ip/ip.txt

this text file import in curl will cause all connections to server to be blocked, you will not be able to access server but physically by connecting keyboard

Comment 5 Eric Garver 2018-11-28 14:00:15 UTC
Thanks for providing the "bad" file. This occurs due to the carriage returns in the file. You can avoid it by running dos2unix on the file.
e.g.

  for i in $(curl "https://www.cloudflare.com/ips-v4" | dos2unix); do sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="'$i'" port port=80 protocol=tcp accept'; done


However, firewalld should be smart enough to strip no printable characters from the string given to --add-rich-rule. So I'll reopen this BZ for that purpose.

Comment 7 Eric Garver 2020-05-07 17:27:33 UTC
This is a minor issue and there are no plans to fix this in RHEL-7. It can be worked around by sanitizing the input. Moving to RHEL-8.

Comment 23 errata-xmlrpc 2021-05-18 14:58:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (firewalld bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1643