From a5fc040deba22743cb1daed6655548f5750faecf Mon Sep 17 00:00:00 2001
From: "CanbiZ (MickLesk)" <47820557+MickLesk@users.noreply.github.com>
Date: Fri, 17 Apr 2026 13:04:52 +0200
Subject: [PATCH] =?UTF-8?q?fix(build):=20sanitize=20mount=5Ffs=20input=20?=
 =?UTF-8?q?=E2=80=94=20strip=20spaces=20and=20trailing=20commas=20(#13806)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

User input like 'nfs, cifs' or 'nfs,' would produce invalid pct
features strings like 'mount=nfs; cifs' (space breaks pct argument
parsing) or 'mount=nfs;' (trailing semicolon). Fixes:

- Whiptail dialog (Step 27): normalize input immediately after entry
- load_vars_file validation: normalize before regex check, use
  stricter regex that rejects trailing/leading commas
- FEATURES construction: defensive sanitize before building the
  mount= value (strip spaces, trailing commas/semicolons)

All three layers ensure 'nfs, cifs' -> 'nfs,cifs' -> 'mount=nfs;cifs'
---
 misc/build.func | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/misc/build.func b/misc/build.func
index daeb119a7..068d6f720 100644
--- a/misc/build.func
+++ b/misc/build.func
@@ -1211,7 +1211,11 @@ load_vars_file() {
           fi
           ;;
         var_mount_fs)
-          if [[ ! "$var_val" =~ ^[a-zA-Z0-9,]+$ ]]; then
+          # Normalize: strip spaces, trailing commas
+          var_val="${var_val// /}"
+          var_val="${var_val%%,}"
+          var_val="${var_val##,}"
+          if [[ -n "$var_val" ]] && [[ ! "$var_val" =~ ^[a-zA-Z0-9]+(,[a-zA-Z0-9]+)*$ ]]; then
             msg_warn "Invalid mount_fs value '$var_val' in $file (comma-separated fs names only, e.g. nfs,cifs), ignoring"
             continue
           fi
@@ -2668,6 +2672,10 @@ advanced_settings() {
         --ok-button "Next" --cancel-button "Back" \
         --inputbox "\nAllow specific filesystem mounts.\n\nComma-separated list: nfs, cifs, fuse, ext4, etc.\nLeave empty for defaults (none).\n\nCurrent: $mount_hint" 14 62 "$_mount_fs" \
         3>&1 1>&2 2>&3); then
+        # Normalize: strip spaces and trailing/leading commas
+        result="${result// /}"
+        result="${result%%,}"
+        result="${result##,}"
         _mount_fs="$result"
         ((STEP++))
       else
@@ -3638,8 +3646,16 @@ build_container() {
 
   # Mount filesystem types (user configurable via advanced settings)
   if [ -n "${ALLOW_MOUNT_FS:-}" ]; then
-    [ -n "$FEATURES" ] && FEATURES="$FEATURES,"
-    FEATURES="${FEATURES}mount=${ALLOW_MOUNT_FS//,/;}"
+    # Sanitize: strip spaces, trailing/leading commas, then convert commas to semicolons
+    local _mount_clean="${ALLOW_MOUNT_FS// /}"
+    _mount_clean="${_mount_clean%%,}"
+    _mount_clean="${_mount_clean##,}"
+    _mount_clean="${_mount_clean%%;}"  
+    _mount_clean="${_mount_clean//,/;}"
+    if [ -n "$_mount_clean" ]; then
+      [ -n "$FEATURES" ] && FEATURES="$FEATURES,"
+      FEATURES="${FEATURES}mount=${_mount_clean}"
+    fi
   fi
 
   # Build PCT_OPTIONS as string for export