openvpn: handling for 'push' and other array options

remove duplicate 'push' entry from string types. push and other array values shall be "double quoted". we also must 'eval' so that the double-quoted array values don't get split on spaces. Also quote file paths in case they contain spaces. Signed-off-by: Paul Donald <newtwen+github@gmail.com>
2026-04-15 19:02:09 +00:00 · 2026-03-11 18:59:38 +01:00
parent ee4656e8a5
commit 4ecd407766
3 changed files with 23 additions and 10 deletions
--- a/net/openvpn/files/lib/netifd/proto/openvpn.sh
+++ b/net/openvpn/files/lib/netifd/proto/openvpn.sh
@@ -50,11 +50,24 @@ option_builder() {
 				file)
 					json_get_var v "$f"
 					[ -f "$v" ] || continue
-					[ -n "$v" ] && append exec_params " --${f//_/-} $v"
+					[ -n "$v" ] && append exec_params " --${f//_/-} \"$v\""
 					;;
 				list)
-					json_get_values v "$f"
-					[ -n "${v}" ] && append exec_params "$(for d in $v; do echo " --${f//_/-} $d"; done)"
+					local type
+					json_get_type type "$f"
+					case "$type" in
+					object|array)
+						local keys key
+						json_select "$f"
+						json_get_keys keys
+						for key in $keys; do
+							json_get_var val "$key"
+							append exec_params " --${f//_/-} \"$val\""
+						done
+						json_select ..
+						;;
+					*)  ;;
+					esac
 					;;
 			esac
 		fi
@@ -114,7 +127,6 @@ proto_openvpn_setup() {
 	append exec_params " --syslog openvpn_$config"
 	append exec_params " --tmp-dir /var/run"

-	# alllow deprecated OpenVPN configuration values by default
 	json_get_var ALLOW_DEPRECATED allow_deprecated
 	[ -z "$ALLOW_DEPRECATED" ] && ALLOW_DEPRECATED=0

@@ -196,10 +208,10 @@ proto_openvpn_setup() {
 			-p daemon.warn "Default hotplug processing disabled, as the openvpn configuration 'script_security' is less than '3'"
 	fi

-	# shellcheck disable=SC2086
-	proto_run_command "$config" openvpn $exec_params
+	eval "set -- $exec_params"
+	proto_run_command "$config" openvpn "$@"

-	# last param wins; user provided status or syslog supersedes these.
+	# last param wins; user provided status or syslog supersedes.
 }

 proto_openvpn_renew() {
--- a/net/openvpn/files/lib/netifd/proto/openvpn.uc
+++ b/net/openvpn/files/lib/netifd/proto/openvpn.uc
@@ -87,7 +87,6 @@ const OPENVPN_STRING_PARAMS = [
 	{ name: 'proto_force' },
 	{ name: 'providers' },
 	{ name: 'pull_filter' },
-	{ name: 'push' },
 	{ name: 'push_remove' },
 	{ name: 'redirect_gateway' },
 	{ name: 'redirect_private' },
@@ -303,7 +302,10 @@ function add_param(params, key, value) {
 	let flag = `--${replace(key, '_', '-')}`;
 	push(params, flag);
 	if (value)
-		push(params, value);
+		if (key === "push")
+			push(params, `"${value}"`);
+		else
+			push(params, value);
 }

 function build_exec_params(cfg) {
--- a/net/openvpn/files/usr/share/openvpn/openvpn.options
+++ b/net/openvpn/files/usr/share/openvpn/openvpn.options
@@ -73,7 +73,6 @@ port_share
 proto_force
 providers
 pull_filter
-push
 push_remove
 redirect_gateway
 redirect_private