From a7f5f570bfe30b86b5c7088450f96b77c86dca18 Mon Sep 17 00:00:00 2001
From: Selva Nair <selva.nair@gmail.com>
Date: Mon, 3 Nov 2025 15:59:56 +0100
Subject: [PATCH] openvpnserv: Disallow stdin as config unless user is
 authorized

Reported by: <stephan@srlabs.de>

Change-Id: I356faeebfade1eed9b40d6700b13621c357ec5ac
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1343
Message-Id: <20251103150002.23187-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34156.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a3d8c40260930ab82ca5d9d71796a7763e74a03d)
---
 src/openvpnserv/validate.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/openvpnserv/validate.c b/src/openvpnserv/validate.c
index 5f7acd74..f8304ac0 100644
--- a/src/openvpnserv/validate.c
+++ b/src/openvpnserv/validate.c
@@ -65,6 +65,11 @@ CheckConfigPath(const WCHAR *workdir, const WCHAR *fname, const settings_t *s)
     const WCHAR *config_file = NULL;
     const WCHAR *config_dir = NULL;
 
+    /* fname = stdin is special: do not treat it as a relative path */
+    if (wcscmp(fname, L"stdin") == 0)
+    {
+        return FALSE;
+    }
     /* convert fname to full path */
     if (PathIsRelativeW(fname) )
     {