From 4ecd407766f001e368dfdd76b6ecc415e9cfa3b5 Mon Sep 17 00:00:00 2001
From: Paul Donald <newtwen+github@gmail.com>
Date: Wed, 11 Mar 2026 18:59:38 +0100
Subject: [PATCH] openvpn: handling for 'push' and other array options

remove duplicate 'push' entry from string types.
push and other array values shall be "double quoted".
we also must 'eval' so that the double-quoted array values
don't get split on spaces.
Also quote file paths in case they contain spaces.

Signed-off-by: Paul Donald <newtwen+github@gmail.com>
---
 net/openvpn/files/lib/netifd/proto/openvpn.sh | 26 ++++++++++++++-----
 net/openvpn/files/lib/netifd/proto/openvpn.uc |  6 +++--
 .../files/usr/share/openvpn/openvpn.options   |  1 -
 3 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/net/openvpn/files/lib/netifd/proto/openvpn.sh b/net/openvpn/files/lib/netifd/proto/openvpn.sh
index ffb1ed6e1c..5ee97dd3f8 100755
--- a/net/openvpn/files/lib/netifd/proto/openvpn.sh
+++ b/net/openvpn/files/lib/netifd/proto/openvpn.sh
@@ -50,11 +50,24 @@ option_builder() {
 				file)
 					json_get_var v "$f"
 					[ -f "$v" ] || continue
-					[ -n "$v" ] && append exec_params " --${f//_/-} $v"
+					[ -n "$v" ] && append exec_params " --${f//_/-} \"$v\""
 					;;
 				list)
-					json_get_values v "$f"
-					[ -n "${v}" ] && append exec_params "$(for d in $v; do echo " --${f//_/-} $d"; done)"
+					local type
+					json_get_type type "$f"
+					case "$type" in
+					object|array)
+						local keys key
+						json_select "$f"
+						json_get_keys keys
+						for key in $keys; do
+							json_get_var val "$key"
+							append exec_params " --${f//_/-} \"$val\""
+						done
+						json_select ..
+						;;
+					*)  ;;
+					esac
 					;;
 			esac
 		fi
@@ -114,7 +127,6 @@ proto_openvpn_setup() {
 	append exec_params " --syslog openvpn_$config"
 	append exec_params " --tmp-dir /var/run"
 
-	# alllow deprecated OpenVPN configuration values by default
 	json_get_var ALLOW_DEPRECATED allow_deprecated
 	[ -z "$ALLOW_DEPRECATED" ] && ALLOW_DEPRECATED=0
 
@@ -196,10 +208,10 @@ proto_openvpn_setup() {
 			-p daemon.warn "Default hotplug processing disabled, as the openvpn configuration 'script_security' is less than '3'"
 	fi
 
-	# shellcheck disable=SC2086
-	proto_run_command "$config" openvpn $exec_params
+	eval "set -- $exec_params"
+	proto_run_command "$config" openvpn "$@"
 
-	# last param wins; user provided status or syslog supersedes these.
+	# last param wins; user provided status or syslog supersedes.
 }
 
 proto_openvpn_renew() {
diff --git a/net/openvpn/files/lib/netifd/proto/openvpn.uc b/net/openvpn/files/lib/netifd/proto/openvpn.uc
index 69dac66ee1..1dc823e468 100755
--- a/net/openvpn/files/lib/netifd/proto/openvpn.uc
+++ b/net/openvpn/files/lib/netifd/proto/openvpn.uc
@@ -87,7 +87,6 @@ const OPENVPN_STRING_PARAMS = [
 	{ name: 'proto_force' },
 	{ name: 'providers' },
 	{ name: 'pull_filter' },
-	{ name: 'push' },
 	{ name: 'push_remove' },
 	{ name: 'redirect_gateway' },
 	{ name: 'redirect_private' },
@@ -303,7 +302,10 @@ function add_param(params, key, value) {
 	let flag = `--${replace(key, '_', '-')}`;
 	push(params, flag);
 	if (value)
-		push(params, value);
+		if (key === "push")
+			push(params, `"${value}"`);
+		else
+			push(params, value);
 }
 
 function build_exec_params(cfg) {
diff --git a/net/openvpn/files/usr/share/openvpn/openvpn.options b/net/openvpn/files/usr/share/openvpn/openvpn.options
index a253446472..2497f13a25 100644
--- a/net/openvpn/files/usr/share/openvpn/openvpn.options
+++ b/net/openvpn/files/usr/share/openvpn/openvpn.options
@@ -73,7 +73,6 @@ port_share
 proto_force
 providers
 pull_filter
-push
 push_remove
 redirect_gateway
 redirect_private