Hi, On Fri, Oct 5, 2018 at 5:44 AM Steffan Karger <stef...@karger.me> wrote:
> Hi, > > On 13-07-18 16:16, selva.n...@gmail.com wrote: > > From: Selva Nair <selva.n...@gmail.com> > > > > The error is treated as a warning only if its triggered due > > to script_security < SSEC_SCRIPTS. > > > > This helps user interfaces enforce a safer script-security setting > > without causing a FATAL error. > > But does it make sense at all to accept configs that have a --up script > without a sufficiently-high script-security set? > This came out of a proposed patch for the GUI to protect lay users from malicious scripts embedded in config files. Recall the ado about exploiting scripts using unsuspecting "inline" commands. To defeat such exploits we want to enforce a safer script security setting from the GUI but do not want to cause a FATAL error as that would be counter productive. Please see GUI PR #271 https://github.com/OpenVPN/openvpn-gui/pull/271 and my comment dated Jul 3 under it. The discussion that led to this is here: https://github.com/OpenVPN/openvpn-gui/issues/270 Thanks, Selva
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
