From c9d8f7360f70554eb5d17623189ef2da38247e73 Mon Sep 17 00:00:00 2001
From: Patrick Lenihan <sc17pl@leeds.ac.uk>
Date: Sat, 28 Mar 2026 17:52:09 +0000
Subject: [PATCH 1/2] Fix Linux installer NetworkManager file URIs

---
 devices/linux/Files/main.py | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/devices/linux/Files/main.py b/devices/linux/Files/main.py
index 6c8191ebe..e2b008dcc 100755
--- a/devices/linux/Files/main.py
+++ b/devices/linux/Files/main.py
@@ -1199,6 +1199,15 @@ def __delete_existing_connection(self, ssid: str) -> None:
             except dbus.exceptions.DBusException:
                 pass
 
+    @staticmethod
+    def __nm_file_uri(path: str) -> dbus.ByteArray:
+        """
+        Build a DBus byte array for NetworkManager file URI settings.
+        D-Bus arrays are length-delimited, so adding a C-style NUL
+        terminator is unnecessary and can leak into persisted config.
+        """
+        return dbus.ByteArray(f"file://{path}".encode())
+
     def __add_connection(self, ssid: str) -> None:
         debug("Adding connection: " + ssid)
         server_alt_subject_name_list = dbus.Array(Config.servers)
@@ -1216,8 +1225,7 @@ def __add_connection(self, ssid: str) -> None:
         s_8021x_data = {
             'eap': [Config.eap_outer.lower()],
             'identity': self.user_data.username,
-            'ca-cert': dbus.ByteArray(
-                f"file://{self.cacert_file}\0".encode()),
+            'ca-cert': self.__nm_file_uri(self.cacert_file),
             match_key: match_value}
         if Config.eap_outer in ('PEAP', 'TTLS'):
             s_8021x_data['password'] = self.user_data.password
@@ -1225,10 +1233,8 @@ def __add_connection(self, ssid: str) -> None:
             s_8021x_data['anonymous-identity'] = outer_identity
             s_8021x_data['password-flags'] = 1
         elif Config.eap_outer == 'TLS':
-            s_8021x_data['client-cert'] = dbus.ByteArray(
-                f"file://{self.pfx_file}\0".encode())
-            s_8021x_data['private-key'] = dbus.ByteArray(
-                f"file://{self.pfx_file}\0".encode())
+            s_8021x_data['client-cert'] = self.__nm_file_uri(self.pfx_file)
+            s_8021x_data['private-key'] = self.__nm_file_uri(self.pfx_file)
             s_8021x_data['private-key-password'] = self.user_data.password
             s_8021x_data['private-key-password-flags'] = 1
         s_con = dbus.Dictionary({

From d7dc34483ab0bc3f676b343e3eb0bc5327bf3b6f Mon Sep 17 00:00:00 2001
From: Patrick Lenihan <sc17pl@leeds.ac.uk>
Date: Sat, 28 Mar 2026 17:59:51 +0000
Subject: [PATCH 2/2] Add regression test for Linux installer file URIs

---
 .../linux/Files/MainPyTemplateTest.php        | 46 +++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 tests/unit/devices/linux/Files/MainPyTemplateTest.php

diff --git a/tests/unit/devices/linux/Files/MainPyTemplateTest.php b/tests/unit/devices/linux/Files/MainPyTemplateTest.php
new file mode 100644
index 000000000..0a3226065
--- /dev/null
+++ b/tests/unit/devices/linux/Files/MainPyTemplateTest.php
@@ -0,0 +1,46 @@
+<?php
+/*
+ * *****************************************************************************
+ * Contributions to this work were made on behalf of the GÉANT project, a
+ * project that has received funding from the European Union’s Framework
+ * Programme 7 under Grant Agreements No. 238875 (GN3) and No. 605243 (GN3plus),
+ * Horizon 2020 research and innovation programme under Grant Agreements No.
+ * 691567 (GN4-1) and No. 731122 (GN4-2).
+ * On behalf of the aforementioned projects, GEANT Association is the sole owner
+ * of the copyright in all material which was developed by a member of the GÉANT
+ * project. GÉANT Vereniging (Association) is registered with the Chamber of
+ * Commerce in Amsterdam with registration number 40535155 and operates in the
+ * UK as a branch of GÉANT Vereniging.
+ *
+ * Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands.
+ * UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK
+ *
+ * License: see the web/copyright.inc.php file in the file structure or
+ *          <base_url>/copyright.php after deploying the software
+ */
+
+class MainPyTemplateTest extends \PHPUnit\Framework\TestCase
+{
+    public function testNetworkManagerFileUrisAreNotNulTerminated()
+    {
+        $template = file_get_contents(__DIR__ . '/../../../../../devices/linux/Files/main.py');
+
+        $this->assertStringContainsString(
+            'def __nm_file_uri(path: str) -> dbus.ByteArray:',
+            $template
+        );
+        $this->assertStringContainsString(
+            'return dbus.ByteArray(f"file://{path}".encode())',
+            $template
+        );
+
+        $this->assertStringNotContainsString(
+            'f"file://{self.cacert_file}\0".encode()',
+            $template
+        );
+        $this->assertStringNotContainsString(
+            'f"file://{self.pfx_file}\0".encode()',
+            $template
+        );
+    }
+}