From 2f4809884632ab0edb533ab9efb40ef71d5dbe71 Mon Sep 17 00:00:00 2001 From: sthen Date: Thu, 2 Nov 2023 20:47:31 +0000 Subject: [PATCH] Use pfctl_fopen (which checks to ensure the given file isn't a directory) for pfctl -f /path/to/pf.conf. Otherwise, if you accidentally use a dir instead of a file (e.g. if you have an /etc/pf directory and don't notice the name when tab-completing), you successfully install an empty ruleset. ok sashan@ --- sbin/pfctl/parse.y | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index adc71340d3e..ee5c00f3b8b 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.714 2023/10/26 16:26:01 deraadt Exp $ */ +/* $OpenBSD: parse.y,v 1.715 2023/11/02 20:47:31 sthen Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -5391,7 +5391,7 @@ pushfile(const char *name, int secret) free(nfile); return (NULL); } - } else if ((nfile->stream = fopen(nfile->name, "r")) == NULL) { + } else if ((nfile->stream = pfctl_fopen(nfile->name, "r")) == NULL) { warn("%s: %s", __func__, nfile->name); free(nfile->name); free(nfile); -- 2.20.1