From 9cf981e300b88dcb2b9bc86e52ee802af948f2cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marta=20Marczykowska-G=C3=B3recka?=
 <marta.maria.gorecka@gmail.com>
Date: Fri, 15 May 2020 16:01:18 +0200
Subject: [PATCH] Added some safeguards for invalid firewall rules

No more None dsthosts or port ranges.

fixes QubesOS/qubes-issues#5772
---
 qubesadmin/firewall.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/qubesadmin/firewall.py b/qubesadmin/firewall.py
index b103cf12..e1e4cd13 100644
--- a/qubesadmin/firewall.py
+++ b/qubesadmin/firewall.py
@@ -86,6 +86,8 @@ def rule(self):
 class DstHost(RuleOption):
     '''Represent host/network address: either IPv4, IPv6, or DNS name'''
     def __init__(self, value, prefixlen=None):
+        if value is None:
+            raise ValueError('DstHost cannot be None')
         # TODO: in python >= 3.3 ipaddress module could be used
         if value.count('/') > 1:
             raise ValueError('Too many /: ' + value)
@@ -158,6 +160,8 @@ def rule(self):
 class DstPorts(RuleOption):
     '''Destination port(s), for TCP/UDP only'''
     def __init__(self, value):
+        if value is None:
+            raise ValueError('Port range cannot be None')
         if isinstance(value, int):
             value = str(value)
         if value.count('-') == 1:
@@ -184,6 +188,8 @@ class IcmpType(RuleOption):
     '''ICMP packet type'''
     def __init__(self, value):
         super(IcmpType, self).__init__(value)
+        if value is None:
+            raise ValueError('ICMP cannot be None')
         value = int(value)
         if value < 0 or value > 255:
             raise ValueError('ICMP type out of range')