Ubuntu
netcfg package

SSID and password not properly quoted/escaped when writing YAML

Bug #1952549 reported by Maarten van der Schrieck
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
netcfg (Ubuntu)
New
Undecided
Unassigned

Bug Description

When writing the wireless YAML config file, the SSID and password are written as YAML unquoted string literal. This leads to invalid YAML when the SSID contains ": ", when the SSID or password starts with ', ", @, &, and possibly other characters/sequences. Also, SSIDs and passwords that themselves are quoted strings, will effectively be stored without quotes (the quotes contained in them will be part of YAML syntax and not of the SSID/password).

Examples of SSIDs/passwords failing, one per line:

@Home
old network: don't use
'60s museum
"to be or not to be"
@VerySecretP@ssword

In some languages it is not uncommon to start words/sentences with an apostrophe, leading to the same issue as with the '60s museum example.

The observed behavior is: When using the installer, WiFi is setup correctly, but the config file as written is invalid, so after first boot, WiFi is not connecting and an obscure YAML syntax error is logged somewhere.

The expected behavior is: When using the installer, WiFi is setup correctly and the password is written in YAML file with quotes. Single-Quoted style looks best, where only single quote needs to be escaped by duplicating the character, so the examples of failing items would be encoded as such:

'@Home'
'old network: don''t use'
'''60s museum'
'"to be or not to be"'
'@VerySecretP@ssword'

Single-Quoted style supports printable characters, which sounds like a good fit for user-input SSIDs and passwords. Although quoting is often not needed, it seems wise to always quote freeform user input - who knows what future YAML standards/parsers may do.

Reference: https://yaml.org/spec/1.2.2/#732-single-quoted-style

This bug affects Ubuntu netcfg (not Debian) and is present from at least version 18, aka Bionic, up to what I believe is the current development branch I cloned from a git repository.

I have a simple patch available and will be investigating how to format and submit it. As I understood, the first step is reporting a bug, so here goes!

Tags: patch
Revision history for this message
Maarten van der Schrieck (maartenvds) wrote :

This is a plain patch of changes performed on a git clone of https://git.launchpad.net/ubuntu/+source/netcfg

The fix is simple: use Single-Quoted style when outputting SSID or password, which means start and end with a single quote, and replace any instance of ' with ''.

The code compiles, and should work, but is not tested. I have yet to figure out how to run netcfg without generating a modified bootable image and performing an install.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "0001-When-writing-wireless-config-quote-SSID-and-password.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Maarten van der Schrieck (maartenvds) wrote :

I just tested the patch by modifying an Ubuntu 18 USB install stick and performing a clean install on another USB disk. The SSID and password are now indeed stored with single quotes, and as expected, an otherwise non-functioning SSID did in fact work after booting the newly installed system.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.