From 5217db95b15e992b4a18d40ff3daec6987a65af9 Mon Sep 17 00:00:00 2001
From: Michael Boelen <michael.boelen@cisofy.com>
Date: Sun, 7 Jul 2019 18:49:01 +0200
Subject: Add deprecation message for old format and added check for
 unexpected/invalid characters in profile (additional security measure)

---
 include/profiles | 33 +++++++++++++++++++++++++++++++--
 1 file changed, 31 insertions(+), 2 deletions(-)

(limited to 'include/profiles')

diff --git a/include/profiles b/include/profiles
index 2840ed3b..101a8a77 100644
--- a/include/profiles
+++ b/include/profiles
@@ -32,8 +32,37 @@
     for PROFILE in ${PROFILES}; do
 
         LogText "Reading profile/configuration ${PROFILE}"
-        FIND=$(egrep "^config:|^[a-z-].*=" ${PROFILE} | sed 's/ /!space!/g')
-        for CONFIGOPTION in ${FIND}; do
+
+        # Show deprecation message for old config entries
+        FOUND=0
+        #DATA=$(egrep "^config:" ${PROFILE} | od --address-radix=none -t a | sed 's/ /!space!/g')
+        #if ! IsEmpty "${DATA}"; then FOUND=1; fi
+        # Items such as 'apache:'
+        DATA=$(egrep "^[a-z-]{1,}:" ${PROFILE} | od --address-radix=none -t a | sed 's/ /!space!/g')
+        if ! IsEmpty "${DATA}"; then FOUND=1; fi
+
+        if [ ${FOUND} -eq 1 ]; then
+            DisplayWarning "Your profile contains old-style configuration entries. See log file for more details and how to convert these entries"
+            LogText "Your profile has one or more configuration items that are in an old format (lines starting with key:value). They need to be converted into the new format (key=value)."
+            LogText "Tip: Use egrep to see the relevant matches (egrep \"^[a-z-]{1,}:\" custom.prf)"
+            sleep 30
+        fi
+
+        # Security check for unexpected and possibly harmful escape characters
+        DATA=$(grep -v '^$\|^ \|^#\|^config:'  ${PROFILE} | tr -d '[:alnum:]/\[\]\(\)\-_\|,\.:;= \n\r' | od --address-radix=none -t a | sed 's/ /!space!/g')
+        if ! IsEmpty "${DATA}"; then
+            DisplayWarning "Your profile '${PROFILE}' contains unexpected characters. See the log file for more information."
+            LogText "Found unexpected or possibly harmful characters in the profile. See output below."
+            for I in "${DATA}"; do
+                I=$(echo ${I} | sed 's/!space!/ /g')
+                LogText "Output: ${I}"
+            done
+            sleep 30
+        fi
+
+        # Now parse the profile and filter out unwanted characters
+        DATA=$(egrep "^config:|^[a-z-].*=" ${PROFILE} | tr -dc '[:alnum:]/\[\]\(\)\-_\|,\.:;= \n\r' | sed 's/ /!space!/g')
+        for CONFIGOPTION in ${DATA}; do
             if ContainsString "config:" "${CONFIGOPTION}"; then
                 # Old style configuration
                 OPTION=$(echo ${CONFIGOPTION} | cut -d ':' -f2)
-- 
cgit v1.2.3