From 748369c8adf0e151f6173df9fde436458ea149ca Mon Sep 17 00:00:00 2001
From: Rafal Wojtczuk <rafal@invisiblethingslab.com>
Date: Mon, 9 May 2011 16:26:48 +0200
Subject: [PATCH] qubes_netwatcher: expand a note about NETCFG untrusted origin

---
 proxyvm/bin/qubes_netwatcher | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/proxyvm/bin/qubes_netwatcher b/proxyvm/bin/qubes_netwatcher
index 42ee4a1..9b9f279 100755
--- a/proxyvm/bin/qubes_netwatcher
+++ b/proxyvm/bin/qubes_netwatcher
@@ -15,6 +15,8 @@ while true; do
 	if [[ -n "$NET_DOMID" ]] && [[ $NET_DOMID -gt 0 ]]; then
 		UNTRUSTED_NETCFG=$(/usr/bin/xenstore-read /local/domain/$NET_DOMID/qubes_netvm_external_ip)
 		# UNTRUSTED_NETCFG is not parsed in any way
+		# thus, no sanitization ready
+		# but be careful when passing it to other shell scripts
 		if [[ "$UNTRUSTED_NETCFG" != "$CURR_NETCFG" ]]; then
 			/sbin/service qubes_firewall stop
 			/sbin/service qubes_firewall start