From 48d0f1f0b94fe6538bec54559e6e1f1609877039 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 2 Oct 2025 11:51:08 +0200 Subject: [PATCH] fw-addr-lists: check last character of line for JSON This is not a proof, but a line also ending with a curly bracket has higher probability of being valid JSON. Better safe than sorry... We are suffering a CVE in RouterOS: https://www.cve.org/CVERecord?id=CVE-2025-10948 --- fw-addr-lists.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fw-addr-lists.rsc b/fw-addr-lists.rsc index 0c45f7e..d56d40f 100644 --- a/fw-addr-lists.rsc +++ b/fw-addr-lists.rsc @@ -103,7 +103,7 @@ :foreach Line in=[ :deserialize $Data delimiter="\n" from=dsv options=dsv.plain ] do={ :set Line ($Line->0); :local Address; - :if ([ :pick $Line 0 1 ] = "{") do={ + :if ([ :pick $Line 0 1 ] = "{" && [ :pick $Line ([ :len $Line ] - 1) ] = "}") do={ :do { :set Address [ :tostr ([ :deserialize from=json $Line ]->"cidr") ]; } on-error={ }