Fix Linux installer NetworkManager file URIs

devices/linux/Files/main.py

@@ -1199,6 +1199,15 @@ def __delete_existing_connection(self, ssid: str) -> None:
             except dbus.exceptions.DBusException:
                 pass
 
+    @staticmethod
+    def __nm_file_uri(path: str) -> dbus.ByteArray:
+        """
+        Build a DBus byte array for NetworkManager file URI settings.
+        D-Bus arrays are length-delimited, so adding a C-style NUL
+        terminator is unnecessary and can leak into persisted config.
+        """
+        return dbus.ByteArray(f"file://{path}".encode())
+
     def __add_connection(self, ssid: str) -> None:
         debug("Adding connection: " + ssid)
         server_alt_subject_name_list = dbus.Array(Config.servers)
@@ -1216,19 +1225,16 @@ def __add_connection(self, ssid: str) -> None:
         s_8021x_data = {
             'eap': [Config.eap_outer.lower()],
             'identity': self.user_data.username,
-            'ca-cert': dbus.ByteArray(
-                f"file://{self.cacert_file}\0".encode()),
+            'ca-cert': self.__nm_file_uri(self.cacert_file),
             match_key: match_value}
         if Config.eap_outer in ('PEAP', 'TTLS'):
             s_8021x_data['password'] = self.user_data.password
             s_8021x_data['phase2-auth'] = Config.eap_inner.lower()
             s_8021x_data['anonymous-identity'] = outer_identity
             s_8021x_data['password-flags'] = 1
         elif Config.eap_outer == 'TLS':
-            s_8021x_data['client-cert'] = dbus.ByteArray(
-                f"file://{self.pfx_file}\0".encode())
-            s_8021x_data['private-key'] = dbus.ByteArray(
-                f"file://{self.pfx_file}\0".encode())
+            s_8021x_data['client-cert'] = self.__nm_file_uri(self.pfx_file)
+            s_8021x_data['private-key'] = self.__nm_file_uri(self.pfx_file)
             s_8021x_data['private-key-password'] = self.user_data.password
             s_8021x_data['private-key-password-flags'] = 1
         s_con = dbus.Dictionary({

tests/unit/devices/linux/Files/MainPyTemplateTest.php

@@ -0,0 +1,46 @@
+<?php
+/*
+ * *****************************************************************************
+ * Contributions to this work were made on behalf of the GÉANT project, a
+ * project that has received funding from the European Union’s Framework
+ * Programme 7 under Grant Agreements No. 238875 (GN3) and No. 605243 (GN3plus),
+ * Horizon 2020 research and innovation programme under Grant Agreements No.
+ * 691567 (GN4-1) and No. 731122 (GN4-2).
+ * On behalf of the aforementioned projects, GEANT Association is the sole owner
+ * of the copyright in all material which was developed by a member of the GÉANT
+ * project. GÉANT Vereniging (Association) is registered with the Chamber of
+ * Commerce in Amsterdam with registration number 40535155 and operates in the
+ * UK as a branch of GÉANT Vereniging.
+ *
+ * Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands.
+ * UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK
+ *
+ * License: see the web/copyright.inc.php file in the file structure or
+ *          <base_url>/copyright.php after deploying the software
+ */
+
+class MainPyTemplateTest extends \PHPUnit\Framework\TestCase
+{
+    public function testNetworkManagerFileUrisAreNotNulTerminated()
+    {
+        $template = file_get_contents(__DIR__ . '/../../../../../devices/linux/Files/main.py');
+
+        $this->assertStringContainsString(
+            'def __nm_file_uri(path: str) -> dbus.ByteArray:',
+            $template
+        );
+        $this->assertStringContainsString(
+            'return dbus.ByteArray(f"file://{path}".encode())',
+            $template
+        );
+
+        $this->assertStringNotContainsString(
+            'f"file://{self.cacert_file}\0".encode()',
+            $template
+        );
+        $this->assertStringNotContainsString(
+            'f"file://{self.pfx_file}\0".encode()',
+            $template
+        );
+    }
+}