| Summary: | /boot/loader: Lua: lines containing a comment that contains a '"' in loader.conf are ignored | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | crahman | ||||||
| Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> | ||||||
| Status: | Open --- | ||||||||
| Severity: | Affects Some People | CC: | grahamperrin | ||||||
| Priority: | --- | ||||||||
| Version: | 13.2-RELEASE | ||||||||
| Hardware: | Any | ||||||||
| OS: | Any | ||||||||
| Attachments: |
|
||||||||
|
Description
crahman
2022-07-02 19:38:36 UTC
So the problem is that the lua parser in /boot/lua/config.lua is splitting the line on the '=', sending the first match to the key and the second to the value. In the problem case, the value is: '"test b" # This is "test_directive_b"' Then the value gets matched against QVALEXPR = '"(.*)"'. This cleans up the value by removing the first and last '"', but in this case turns it into: test b" # This is "test_directive_b which then gets rejected in processEnvVar() with MSG_FAILSYN_QUOTE, since values aren't allowed to contain '"'. Changing QVALEXPR to '([-%w_]+)' fixes this problem. Since the value is explicitly prevented from containing quotes, it's not unreasonable to load it from an expression that excludes them. The only other place this is used is in the 'exec="command"' expression, which also should not contain '"' in the command value. A patch is attached. Created attachment 235527 [details]
Prevent '"' from being incorporated into name="value" pairs in /boot/loader.conf
Created attachment 235528 [details]
Prevent '"' from being incorporated into name="value" pairs in /boot/loader.conf
|