samba4: fix for #13758

* fix for possible exploit #13758
* sanetize all external template/config inputs
* fix some shellcheck warnings

Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>

net/samba4/Makefile

@@ -3,7 +3,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=samba
 PKG_VERSION:=4.11.17
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:= \

net/samba4/files/samba.init

@@ -5,39 +5,39 @@ USE_PROCD=1
 
 SAMBA_IFACE=""
 
+config_get_sane() {
+	config_get "$@"
+	set -- "$(echo "$1" | tr -d '<>[]{};%?=#\n')"
+}
+
 smb_header() {
-	config_get SAMBA_IFACE $1 interface "lan"
+	config_get_sane SAMBA_IFACE "$1" interface "lan"
 
 	# resolve interfaces
-	local interfaces
 	interfaces=$(
 		. /lib/functions/network.sh
 
-		local net
 		for net in $SAMBA_IFACE; do
-			local device
-			network_is_up $net || continue
+			network_is_up "$net" || continue
 			network_get_device device "$net"
 			printf "%s " "${device:-$net}"
 		done
 	)
 
-	local workgroup description charset
 	# we dont use netbios anymore as default and wsd/avahi is dns based
-	local hostname
-	hostname="$(cat /proc/sys/kernel/hostname)"
+	hostname="$(cat /proc/sys/kernel/hostname | tr -d '{};%?=#\n')"
 
-	config_get workgroup $1 workgroup "WORKGROUP"
-	config_get description $1 description "Samba on OpenWrt"
-	config_get charset $1 charset "UTF-8"
+	config_get_sane workgroup "$1" workgroup "WORKGROUP"
+	config_get_sane description "$1" description "Samba on OpenWrt"
+	config_get_sane charset "$1" charset "UTF-8"
 
-	config_get_bool MACOS $1 macos 0
-	config_get_bool DISABLE_NETBIOS $1 disable_netbios 0
-	config_get_bool DISABLE_AD_DC $1 disable_ad_dc 0
-	config_get_bool DISABLE_WINBIND $1 disable_winbind 0
-	config_get_bool DISABLE_ASYNC_IO $1 disable_async_io 0
-	config_get_bool ALLOW_LEGACY_PROTOCOLS $1 allow_legacy_protocols 0
-	config_get_bool ENABLE_EXTRA_TUNING $1 enable_extra_tuning 0
+	config_get_bool MACOS "$1" macos 0
+	config_get_bool DISABLE_NETBIOS "$1" disable_netbios 0
+	config_get_bool DISABLE_AD_DC "$1" disable_ad_dc 0
+	config_get_bool DISABLE_WINBIND "$1" disable_winbind 0
+	config_get_bool DISABLE_ASYNC_IO "$1" disable_async_io 0
+	config_get_bool ALLOW_LEGACY_PROTOCOLS "$1" allow_legacy_protocols 0
+	config_get_bool ENABLE_EXTRA_TUNING "$1" enable_extra_tuning 0
 
 	mkdir -p /var/etc
 	sed -e "s#|NAME|#$hostname#g" \
@@ -52,14 +52,13 @@ smb_header() {
 
 		# extra tuning options by community feedback (kinda try&error)
 		if [ "$ENABLE_EXTRA_TUNING" -eq 1 ]; then
-			local socket_opt
 			socket_opt="$(grep -i 'socket options' /etc/samba/smb.conf.template | awk -F'=' '{print $2}' | tr -d '\n')"
 			[ -n "$socket_opt" ] && printf "\tsocket options =%s SO_KEEPALIVE\n" "$socket_opt" # add keepalive, maybe larger buffer? SO_RCVBUF=65536 SO_SNDBUF=65536
 
 			printf "\tmax xmit = 131072\n" # increase smb1 transmit size
 			printf "\tmin receivefile size = 131072\n" # allows zero-copy writes via fs
 			printf "\tfake oplocks = Yes\n" # may corrupt files for simultanous writes to the same files by multiple clients, but might also see big speed boost
-			printf "\tuse sendfile = Yes\n" # enable sendfile, not sure whats with the 2019 bug https://bugzilla.samba.org/show_bug.cgi?id=14095
+			printf "\tuse sendfile = Yes\n" # enable sendfile?
 			# Removed in 4.12.x in favor of VFS io_uring ; this is per file, so may increase memory useage on many simultanous oplocked files!
 			printf "\twrite cache size = 262144\n" # adds a write cache buffer per file for oplocked files, flushes if size is exhausted
 		fi
@@ -73,8 +72,6 @@ smb_header() {
 		if [ "$DISABLE_ASYNC_IO" -eq 1 ]; then
 			printf "\taio read size = 0\n"
 			printf "\taio write size = 0\n"
-			# sendfile bug: https://bugzilla.samba.org/show_bug.cgi?id=14095
-			printf "\tuse sendfile = no\n"
 		fi
 
 		if [ "$ALLOW_LEGACY_PROTOCOLS" -eq 1 ]; then
@@ -90,46 +87,27 @@ smb_header() {
 	if [ ! -L /etc/samba/smb.conf ]; then
 		logger -p daemon.warn -t 'samba4-server' "Local custom /etc/samba/smb.conf file detected, all luci/config settings are ignored!"
 	fi
-
 }
 
 smb_add_share() {
-	local name
-	local path
-	local users
-	local create_mask
-	local dir_mask
-	local browseable
-	local read_only
-	local writeable
-	local guest_ok
-	local guest_only
-	local inherit_owner
-	local vfs_objects
-	local timemachine
-	local timemachine_maxsize
-	local force_root
-	local write_list
-	local read_list
-
-	config_get name $1 name
-	config_get path $1 path
-	config_get users $1 users
-	config_get create_mask $1 create_mask
-	config_get dir_mask $1 dir_mask
-	config_get browseable $1 browseable
-	config_get read_only $1 read_only
-	config_get writeable $1 writeable
-	config_get guest_ok $1 guest_ok
-	config_get guest_only $1 guest_only
-	config_get inherit_owner $1 inherit_owner
-	config_get vfs_objects $1 vfs_objects
-	config_get_bool timemachine	$1 timemachine	0
-	config_get timemachine_maxsize $1 timemachine_maxsize
-	config_get_bool force_root	$1 force_root	0
-	config_get write_list $1 write_list
-	config_get read_list $1 read_list
-
+	config_get_sane name "$1" name
+	config_get_sane path "$1" path
+	config_get_sane users "$1" users
+	config_get_sane create_mask "$1" create_mask
+	config_get_sane dir_mask "$1" dir_mask
+	config_get_sane browseable "$1" browseable
+	config_get_sane read_only "$1" read_only
+	config_get_sane writeable "$1" writeable
+	config_get_sane guest_ok "$1" guest_ok
+	config_get_sane guest_only "$1" guest_only
+	config_get_sane inherit_owner "$1" inherit_owner
+	config_get_sane vfs_objects "$1" vfs_objects
+	config_get_bool timemachine "$1" timemachine 0
+	config_get_sane timemachine_maxsize "$1" timemachine_maxsize
+	config_get_bool force_root "$1" force_root 0
+	config_get_sane write_list "$1" write_list
+	config_get_sane read_list "$1" read_list
+	
 	[ -z "$name" ] || [ -z "$path" ] && return
 
 	{
@@ -192,9 +170,8 @@ service_triggers() {
 
 	procd_add_reload_trigger "dhcp" "system" "samba4"
 
-	local i
 	for i in $SAMBA_IFACE; do
-		procd_add_reload_interface_trigger $i
+		procd_add_reload_interface_trigger "$i"
 	done
 }
 
@@ -206,14 +183,13 @@ start_service() {
 		exit 1
 	fi
 
-	local nice_value
-	config_get nice_value extra samba_nice 0
+	config_get_sane nice_value extra samba_nice 0
 
 	# start main AD-DC daemon, will spawn (smbd,nmbd,winbindd) as needed/configured.
 	if [ "$DISABLE_AD_DC" -ne 1 ] && [ -x /usr/sbin/samba ]; then
 		procd_open_instance
 		procd_set_param command /usr/sbin/samba -F
-		procd_set_param nice $nice_value
+		procd_set_param nice "$nice_value"
 		procd_set_param respawn
 		procd_set_param file /etc/samba/smb.conf
 		procd_set_param limits nofile=16384
@@ -222,7 +198,7 @@ start_service() {
 		# start fileserver daemon
 		procd_open_instance
 		procd_set_param command /usr/sbin/smbd -F
-		procd_set_param nice $nice_value
+		procd_set_param nice "$nice_value"
 		procd_set_param respawn
 		procd_set_param file /etc/samba/smb.conf
 		procd_set_param limits nofile=16384
@@ -232,7 +208,7 @@ start_service() {
 		if [ "$DISABLE_NETBIOS" -ne 1 ] && [ -x /usr/sbin/nmbd ]; then
 			procd_open_instance
 			procd_set_param command /usr/sbin/nmbd -F
-			procd_set_param nice $nice_value
+			procd_set_param nice "$nice_value"
 			procd_set_param respawn
 			procd_set_param file /etc/samba/smb.conf
 			procd_close_instance
@@ -241,7 +217,7 @@ start_service() {
 		if [ "$DISABLE_WINBIND" -ne 1 ] && [ -x /usr/sbin/winbindd ]; then
 			procd_open_instance
 			procd_set_param command /usr/sbin/winbindd -F
-			procd_set_param nice $nice_value
+			procd_set_param nice "$nice_value"
 			procd_set_param respawn
 			procd_set_param file /etc/samba/smb.conf
 			procd_close_instance