BSD Commit Log Search

system: replace exec() in config encrypt/decrypt #9325

Although these are very safe the calls are much more portable now
and this was also the last exec() in the MVC code.  Plus, Shell
class was already being used elsewhere here.

system: replace exec() in live banner SSH probe

openvpn: replace exec() in MVC code #9325

system: replace history diff exec with shell_safe #9325

firewall: remove mutes from 3 execution calls

Mute is used when we know the operation could fail but these don't
look like it and shouldn't.  In the shaper case the script even ends
using exit 0 without a set -e so that's going to be fine all the time.

backend: all core now avoids direct shell_exec() calls

interfaces: stop command in variable usage in wlan code

Actually transforms unsafe commands either run or embedded into the
script.  Pretty cool that we can also secure script generation with
exec_safe() ;)

backend: move exec_safe, pass_safe and shell_safe to a class #9325

Do a clean cut to a class for these functions first.  We need them in the
MVC code and this is a good opportunity to try and add them to the legacy
code via the wrappers.

The others should follow but let's settle on better names first perhaps.

interfaces: clear instances of mwexec() #9325

plugins: minor mwexec(f) safety #9325

backend: extend exec_safe() to allow array of format strings #9325

For years this has bothered me and the last couple of weeks I've tried
and failed to introduce something reasonable into $args handling that
can better do dynamic command generation paired with ease of use.

The irony is the solution was already in the code: $args supports arrays
and join(' ', $cmds) was used in caller code to construct the final
format string which is safe by default.

By making $format an array we can keep the separation of format and args
and are otherwise totally flexible in providing these to arrays and avoiding
any sort of ordering problems a number of other failed attempts at extending
this suffered from.

mvc: shell_safe use where needed

backend: also introduce pass_safe()

All these functions are bound to take a dynamic argument at some point.
Add a few callers although by no means complete for now.

backend: comment

backend: switch the previously touched join()s to implode()s

firewall: mwexecf() stuff #9325

mwexecfn() is actually really good to for grepping and therefore future
audits.  Two weird spots marked anyway.

system: mark these mwexec() as safe by switching to mwexecf() and a minor simplification #9325

We still have join() in there but arguments are properly fed from exec_safe().
We can clean this up later.  Historically, these parts have had a few
regressions and problems so glossing over them is not the best idea.

backend: rearrange functions in Shell class

system: mwexecf() for legacy service controls #9325

backend: actually do a mwexecfm() #9325

Do not do a mwexefm_bg(). Reason in the next commit.

dhcrelay: use the new mwexecf() $format support #9325

interfaces: transform this existing change using new exec_safe() magic #9325

ipsec: mwexecf() switch audit thing #9325

system: fix previous; a downside of mwexecf's parameter list ordering #9325

Maybe we should introduce a mwexecfm() for making this shorter.

radvd: make a few security simplifications #9325

backend: introduce Shell::run_safe and use it instead

backend: move Safe to Shell class

Migrate the one user in the Monit migration to shell_safe() because
that is the most appropriate here (no error code needed, just output).

firmware: replace joined command with new apporach #9325

backend: fiddle with mwexecf_bg for #9325

Never mute a background action, also because it is used nowhere and
I cannot recall an instance where we had to mute it either.  Debug
output for backgrounding action failure is likely valuable information.

backend: switch to mwexecfb() #9325