[Bug 1952549] [NEW] SSID and password not properly quoted/escaped when writing YAML

Maarten van der Schrieck 1952549 at bugs.launchpad.net
Sun Nov 28 12:27:26 UTC 2021 

Public bug reported:

When writing the wireless YAML config file, the SSID and password are
written as YAML unquoted string literal. This leads to invalid YAML when
the SSID contains ": ", when the SSID or password starts with ', ", @,
&, and possibly other characters/sequences. Also, SSIDs and passwords
that themselves are quoted strings, will effectively be stored without
quotes (the quotes contained in them will be part of YAML syntax and not
of the SSID/password).

Examples of SSIDs/passwords failing, one per line:

@Home
old network: don't use
'60s museum
"to be or not to be"
@VerySecretP at ssword

In some languages it is not uncommon to start words/sentences with an
apostrophe, leading to the same issue as with the '60s museum example.

The observed behavior is: When using the installer, WiFi is setup
correctly, but the config file as written is invalid, so after first
boot, WiFi is not connecting and an obscure YAML syntax error is logged
somewhere.

The expected behavior is: When using the installer, WiFi is setup
correctly and the password is written in YAML file with quotes. Single-
Quoted style looks best, where only single quote needs to be escaped by
duplicating the character, so the examples of failing items would be
encoded as such:

'@Home'
'old network: don''t use'
'''60s museum'
'"to be or not to be"'
'@VerySecretP at ssword'

Single-Quoted style supports printable characters, which sounds like a
good fit for user-input SSIDs and passwords. Although quoting is often
not needed, it seems wise to always quote freeform user input - who
knows what future YAML standards/parsers may do.

Reference: https://yaml.org/spec/1.2.2/#732-single-quoted-style

This bug affects Ubuntu netcfg (not Debian) and is present from at least
version 18, aka Bionic, up to what I believe is the current development
branch I cloned from a git repository.

I have a simple patch available and will be investigating how to format
and submit it. As I understood, the first step is reporting a bug, so
here goes!

** Affects: netcfg (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to netcfg in Ubuntu.
https://bugs.launchpad.net/bugs/1952549

Title:
  SSID and password not properly quoted/escaped when writing YAML

Status in netcfg package in Ubuntu:
  New

Bug description:
  When writing the wireless YAML config file, the SSID and password are
  written as YAML unquoted string literal. This leads to invalid YAML
  when the SSID contains ": ", when the SSID or password starts with ',
  ", @, &, and possibly other characters/sequences. Also, SSIDs and
  passwords that themselves are quoted strings, will effectively be
  stored without quotes (the quotes contained in them will be part of
  YAML syntax and not of the SSID/password).

  Examples of SSIDs/passwords failing, one per line:

  @Home
  old network: don't use
  '60s museum
  "to be or not to be"
  @VerySecretP at ssword

  In some languages it is not uncommon to start words/sentences with an
  apostrophe, leading to the same issue as with the '60s museum example.

  The observed behavior is: When using the installer, WiFi is setup
  correctly, but the config file as written is invalid, so after first
  boot, WiFi is not connecting and an obscure YAML syntax error is
  logged somewhere.

  The expected behavior is: When using the installer, WiFi is setup
  correctly and the password is written in YAML file with quotes.
  Single-Quoted style looks best, where only single quote needs to be
  escaped by duplicating the character, so the examples of failing items
  would be encoded as such:

  '@Home'
  'old network: don''t use'
  '''60s museum'
  '"to be or not to be"'
  '@VerySecretP at ssword'

  Single-Quoted style supports printable characters, which sounds like a
  good fit for user-input SSIDs and passwords. Although quoting is often
  not needed, it seems wise to always quote freeform user input - who
  knows what future YAML standards/parsers may do.

  Reference: https://yaml.org/spec/1.2.2/#732-single-quoted-style

  This bug affects Ubuntu netcfg (not Debian) and is present from at
  least version 18, aka Bionic, up to what I believe is the current
  development branch I cloned from a git repository.

  I have a simple patch available and will be investigating how to
  format and submit it. As I understood, the first step is reporting a
  bug, so here goes!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/netcfg/+bug/1952549/+subscriptions

More information about the foundations-bugs mailing list