From 469a261b7547f07ab26f46eb3774beca17c75cd2 Mon Sep 17 00:00:00 2001
From: Guus Sliepen <guus@tinc-vpn.org>
Date: Thu, 18 Oct 2018 17:17:20 +0200
Subject: [PATCH] Make more variables safe for use in invitations.

When writing one's own invitation files, more variables are now accepted
by the invitee. The goal is to allow anything that doesn't interfere
with the existing network configuration of the invitee and that doesn't
cause any unexpected behaviour, such as starting running commands.
---
 src/tincctl.c | 48 ++++++++++++++++++++++++------------------------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/src/tincctl.c b/src/tincctl.c
index 8181dd93..b2062b2e 100644
--- a/src/tincctl.c
+++ b/src/tincctl.c
@@ -1717,18 +1717,18 @@ ecdsa_t *get_pubkey(FILE *f) {
 
 const var_t variables[] = {
 	/* Server configuration */
-	{"AddressFamily", VAR_SERVER},
+	{"AddressFamily", VAR_SERVER | VAR_SAFE},
 	{"AutoConnect", VAR_SERVER | VAR_SAFE},
 	{"BindToAddress", VAR_SERVER | VAR_MULTIPLE},
 	{"BindToInterface", VAR_SERVER},
 	{"Broadcast", VAR_SERVER | VAR_SAFE},
 	{"BroadcastSubnet", VAR_SERVER | VAR_MULTIPLE | VAR_SAFE},
 	{"ConnectTo", VAR_SERVER | VAR_MULTIPLE | VAR_SAFE},
-	{"DecrementTTL", VAR_SERVER},
+	{"DecrementTTL", VAR_SERVER | VAR_SAFE},
 	{"Device", VAR_SERVER},
 	{"DeviceStandby", VAR_SERVER},
 	{"DeviceType", VAR_SERVER},
-	{"DirectOnly", VAR_SERVER},
+	{"DirectOnly", VAR_SERVER | VAR_SAFE},
 	{"Ed25519PrivateKeyFile", VAR_SERVER},
 	{"ExperimentalProtocol", VAR_SERVER},
 	{"Forwarding", VAR_SERVER},
@@ -1738,34 +1738,34 @@ const var_t variables[] = {
 	{"IffOneQueue", VAR_SERVER},
 	{"Interface", VAR_SERVER},
 	{"InvitationExpire", VAR_SERVER},
-	{"KeyExpire", VAR_SERVER},
+	{"KeyExpire", VAR_SERVER | VAR_SAFE},
 	{"ListenAddress", VAR_SERVER | VAR_MULTIPLE},
-	{"LocalDiscovery", VAR_SERVER},
+	{"LocalDiscovery", VAR_SERVER | VAR_SAFE},
 	{"LogLevel", VAR_SERVER},
-	{"MACExpire", VAR_SERVER},
-	{"MaxConnectionBurst", VAR_SERVER},
-	{"MaxOutputBufferSize", VAR_SERVER},
-	{"MaxTimeout", VAR_SERVER},
+	{"MACExpire", VAR_SERVER | VAR_SAFE},
+	{"MaxConnectionBurst", VAR_SERVER | VAR_SAFE},
+	{"MaxOutputBufferSize", VAR_SERVER | VAR_SAFE},
+	{"MaxTimeout", VAR_SERVER | VAR_SAFE},
 	{"Mode", VAR_SERVER | VAR_SAFE},
 	{"Name", VAR_SERVER},
-	{"PingInterval", VAR_SERVER},
-	{"PingTimeout", VAR_SERVER},
+	{"PingInterval", VAR_SERVER | VAR_SAFE},
+	{"PingTimeout", VAR_SERVER | VAR_SAFE},
 	{"PriorityInheritance", VAR_SERVER},
 	{"PrivateKey", VAR_SERVER | VAR_OBSOLETE},
 	{"PrivateKeyFile", VAR_SERVER},
 	{"ProcessPriority", VAR_SERVER},
 	{"Proxy", VAR_SERVER},
-	{"ReplayWindow", VAR_SERVER},
+	{"ReplayWindow", VAR_SERVER | VAR_SAFE},
 	{"ScriptsExtension", VAR_SERVER},
 	{"ScriptsInterpreter", VAR_SERVER},
-	{"StrictSubnets", VAR_SERVER},
-	{"TunnelServer", VAR_SERVER},
-	{"UDPDiscovery", VAR_SERVER},
-	{"UDPDiscoveryKeepaliveInterval", VAR_SERVER},
-	{"UDPDiscoveryInterval", VAR_SERVER},
-	{"UDPDiscoveryTimeout", VAR_SERVER},
-	{"MTUInfoInterval", VAR_SERVER},
-	{"UDPInfoInterval", VAR_SERVER},
+	{"StrictSubnets", VAR_SERVER | VAR_SAFE},
+	{"TunnelServer", VAR_SERVER | VAR_SAFE},
+	{"UDPDiscovery", VAR_SERVER | VAR_SAFE},
+	{"UDPDiscoveryKeepaliveInterval", VAR_SERVER | VAR_SAFE},
+	{"UDPDiscoveryInterval", VAR_SERVER | VAR_SAFE},
+	{"UDPDiscoveryTimeout", VAR_SERVER | VAR_SAFE},
+	{"MTUInfoInterval", VAR_SERVER | VAR_SAFE},
+	{"UDPInfoInterval", VAR_SERVER | VAR_SAFE},
 	{"UDPRcvBuf", VAR_SERVER},
 	{"UDPSndBuf", VAR_SERVER},
 	{"UPnP", VAR_SERVER},
@@ -1776,12 +1776,12 @@ const var_t variables[] = {
 	/* Host configuration */
 	{"Address", VAR_HOST | VAR_MULTIPLE},
 	{"Cipher", VAR_SERVER | VAR_HOST},
-	{"ClampMSS", VAR_SERVER | VAR_HOST},
-	{"Compression", VAR_SERVER | VAR_HOST},
+	{"ClampMSS", VAR_SERVER | VAR_HOST | VAR_SAFE},
+	{"Compression", VAR_SERVER | VAR_HOST | VAR_SAFE},
 	{"Digest", VAR_SERVER | VAR_HOST},
 	{"Ed25519PublicKey", VAR_HOST},
 	{"Ed25519PublicKeyFile", VAR_SERVER | VAR_HOST},
-	{"IndirectData", VAR_SERVER | VAR_HOST},
+	{"IndirectData", VAR_SERVER | VAR_HOST | VAR_SAFE},
 	{"MACLength", VAR_SERVER | VAR_HOST},
 	{"PMTU", VAR_SERVER | VAR_HOST},
 	{"PMTUDiscovery", VAR_SERVER | VAR_HOST},
@@ -1789,7 +1789,7 @@ const var_t variables[] = {
 	{"PublicKey", VAR_HOST | VAR_OBSOLETE},
 	{"PublicKeyFile", VAR_SERVER | VAR_HOST | VAR_OBSOLETE},
 	{"Subnet", VAR_HOST | VAR_MULTIPLE | VAR_SAFE},
-	{"TCPOnly", VAR_SERVER | VAR_HOST},
+	{"TCPOnly", VAR_SERVER | VAR_HOST | VAR_SAFE},
 	{"Weight", VAR_HOST | VAR_SAFE},
 	{NULL, 0}
 };
-- 
2.39.5