Netplan

Merge ~danilogondolfo/netplan/+git/ubuntu:mantic_0_107_1_sru_with_security_fixes into ~ubuntu-core-dev/netplan/+git/ubuntu:ubuntu-mantic

Proposed by Danilo Egea Gondolfo on 2024-07-01

Status:

Merged

Merged at revision:

ed684b8a3eb282b9bc7c0f18ad6b2249e7f3ef30

Proposed branch:

~danilogondolfo/netplan/+git/ubuntu:mantic_0_107_1_sru_with_security_fixes

Merge into:

~ubuntu-core-dev/netplan/+git/ubuntu:ubuntu-mantic

Diff against target:

2060 lines (+2000/-1)

8 files modified

debian/changelog (+20/-1)
debian/netplan-generator.postinst (+15/-0)
debian/patches/lp2065738/0012-cli-generate-call-daemon-reload-after-generate.patch (+82/-0)
debian/patches/lp2065738/0013-libnetplan-use-more-restrictive-file-permissions.patch (+435/-0)
debian/patches/lp2066258/0014-libnetplan-escape-control-characters.patch (+863/-0)
debian/patches/lp2066258/0015-backends-escape-file-paths.patch (+288/-0)
debian/patches/lp2066258/0016-backends-escape-semicolons-in-service-units.patch (+292/-0)
debian/patches/series (+5/-0)

Related bugs:

Bug #2065738: Leaks wireguard keys

High

Fix Released

Link a bug report

Reviewer	Date Requested	Status
Lukas Märdian	2024-07-01	Approve on 2024-07-02
Ubuntu Core Development Team	2024-07-01	Pending
Review via email: mp+468523@code.launchpad.net

Description of the change

A PPA with this change can be found at https://launchpad.net/~danilogondolfo/+archive/ubuntu/netplan-sru

netplan autopkgtest results

https://autopkgtest.ubuntu.com/results/autopkgtest-mantic-danilogondolfo-netplan-sru/mantic/amd64/n/netplan.io/20240701_153019_84a82@/log.gz

https://autopkgtest.ubuntu.com/results/autopkgtest-mantic-danilogondolfo-netplan-sru/mantic/arm64/n/netplan.io/20240701_151726_64043@/log.gz

https://autopkgtest.ubuntu.com/results/autopkgtest-mantic-danilogondolfo-netplan-sru/mantic/armhf/n/netplan.io/20240701_152731_ca3d0@/log.gz

The armhf vrfs tests are failing due to the problem related to the container and the kernel in the host.

https://autopkgtest.ubuntu.com/results/autopkgtest-mantic-danilogondolfo-netplan-sru/mantic/ppc64el/n/netplan.io/20240701_152152_4c5f7@/log.gz

network-manager autopkgtest results

https://autopkgtest.ubuntu.com/results/autopkgtest-mantic-danilogondolfo-netplan-sru/mantic/amd64/n/network-manager/20240701_150722_c07f8@/log.gz

https://autopkgtest.ubuntu.com/results/autopkgtest-mantic-danilogondolfo-netplan-sru/mantic/arm64/n/network-manager/20240701_145555_49ed5@/log.gz

https://autopkgtest.ubuntu.com/results/autopkgtest-mantic-danilogondolfo-netplan-sru/mantic/armhf/n/network-manager/20240701_143813_70808@/log.gz

https://autopkgtest.ubuntu.com/results/autopkgtest-mantic-danilogondolfo-netplan-sru/mantic/ppc64el/n/network-manager/20240701_145355_e2a3c@/log.gz

Revision history for this message

Lukas Märdian (slyon) wrote on 2024-07-02:

LGTM. The new security patches match the noble patches (ignoring patch fuzz).

I've just applied some tiny fixes to the version number (removing ~ppa suffix) and update d/changelog to not drop the previous 0.107-5ubuntu0.3 and 0.107-5ubuntu0.4 updates.

review: Approve

Revision history for this message

Danilo Egea Gondolfo (danilogondolfo) wrote on 2024-07-02:

I can't believe I left the ~ppa in the changelog again........

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Danilo Egea Gondolfo

Lukas Märdian

Ubuntu Core Development Team

 diff --git a/debian/changelog b/debian/changelog
 index d28e7c5..ad8fa95 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,4 +1,4 @@
--netplan.io (0.107.1-3ubuntu0.23.10.1) mantic; urgency=medium
++netplan.io (0.107.1-3ubuntu0.23.10.1~ppa10) mantic; urgency=medium
    * Backport netplan.io 0.107.1-3 to 23.10 (LP: #2058051):
      - wifi: add support for WPA3-Enterprise (LP: 2029876) (!402)
@@ -14,6 +14,25 @@ netplan.io (0.107.1-3ubuntu0.23.10.1) mantic; urgency=medium
      - doc: create libnetplan apidoc structure (!423)
      - inc: Start documenting public API (!423)
      - doc: Update 'Netplan everywhere' for 23.10 (!418)
++    SECURITY UPDATE: weak permissions on secret files, command injection
++    - d/p/lp2065738/0014-libnetplan-use-more-restrictive-file-permissions.patch:
++      Use more restrictive file permissions to prevent unprivileged users to
++      read sensitive data from back end files (LP: 2065738, 1987842)
++    - CVE-2022-4968
++    - d/p/lp2066258/0015-libnetplan-escape-control-characters.patch:
++      Escape control characters in the parser and double quotes in backend
++      files.
++    - d/p/lp2066258/0016-backends-escape-file-paths.patch:
++      Escape special characters in file paths.
++    - d/p/lp2066258/0017-backends-escape-semicolons-in-service-units.patch:
++      Escape isolated semicolons in systemd service units. (LP: 2066258)
++    - debian/netplan-generator.postinst: Add a postinst maintainer script to
++      call the generator. It's needed so the file permissions fixes will be
++      applied automatically.
++    - d/p/lp2065738/0012-cli-generate-call-daemon-reload-after-generate.patch:
++      Call daemon-reload after generate. This is required due to the NM
++      integration. NM doesn't have the capability required to set file owners
++      and now we set the systemd-network group to networkd related files.
      Bug fixes:
      - test:ovs: Avoid NetworkManager taking contol, breaking a test
      - parse: allow COMMON_LINK_HANDLERS for VRFs (!401)
 diff --git a/debian/netplan-generator.postinst b/debian/netplan-generator.postinst
 new file mode 100644
 index 0000000..f805c24
 --- /dev/null
 +++ b/debian/netplan-generator.postinst
@@ -0,0 +1,15 @@
++#!/bin/sh
++
++set -e
++
++# Calling the generator after installation to mitigate CVE-2022-4968
++# We avoid calling the generator if the system doesn't have networkd files to be fixed (LP: #2071333)
++if [ "$1" = configure ]; then
++    FILES=$(find /run/systemd/network/ -type f -regex ".*-netplan.*\.\(network\|netdev\)" 2>/dev/null || true)
++    if [ -n "${FILES}" ]; then
++        /usr/libexec/netplan/generate 2>/dev/null || echo "WARNING: Netplan could not re-generate network configuration. Please run 'netplan generate' to see details."
++    fi
++fi
++
++#DEBHELPER#
++
 diff --git a/debian/patches/lp2065738/0012-cli-generate-call-daemon-reload-after-generate.patch b/debian/patches/lp2065738/0012-cli-generate-call-daemon-reload-after-generate.patch
 new file mode 100644
 index 0000000..acafe2b
 --- /dev/null
 +++ b/debian/patches/lp2065738/0012-cli-generate-call-daemon-reload-after-generate.patch
@@ -0,0 +1,82 @@
++From: =?utf-8?q?Lukas_M=C3=A4rdian?= <slyon@ubuntu.com>
++Date: Wed, 17 Apr 2024 10:23:16 +0200
++Subject: cli/generate: call daemon-reload after generate
++
++This is required due to the Network Manager integration. NM doesn't have
++the capability required to change the configuration files owners.
++Because of that, networkd files that are regenerated when NM is called
++will have root:root as owner and group. As we changed the default mode
++to 0640, networkd wouldn't be able to read the files and the
++configuration would be ignored.
++
++Origin: https://github.com/canonical/netplan/commit/1892487a44f06d3af9620a0ca54ed6e32d1ae963
++Origin: https://github.com/canonical/netplan/commit/223e3d3dd10c44149e2c9b9741900d11ebec6f97
++Origin: https://github.com/canonical/netplan/commit/ea60510cf741afe73b59470af9f812a36140dae0
++
++---
++ netplan_cli/cli/commands/generate.py | 11 ++++++++++-
++ netplan_cli/cli/utils.py             |  2 +-
++ tests/cli_legacy.py                  |  3 +--
++ tests/test_utils.py                  |  2 +-
++ 4 files changed, 13 insertions(+), 5 deletions(-)
++
++diff --git a/netplan_cli/cli/commands/generate.py b/netplan_cli/cli/commands/generate.py
++index f84b171..ba51eb0 100644
++--- a/netplan_cli/cli/commands/generate.py
+++++ b/netplan_cli/cli/commands/generate.py
++@@ -81,5 +81,14 @@ class NetplanGenerate(utils.NetplanCommand):
++         if self.mapping:
++             argv += ['--mapping', self.mapping]
++         logging.debug('command generate: running %s', argv)
+++        res = subprocess.call(argv)
+++        # reload systemd, as we might have changed service units, such as
+++        # /run/systemd/system/systemd-networkd-wait-online.service.d/10-netplan.conf
+++        # Skip it if --mapping is used as nothing will be generated
+++        if self.mapping is None:
+++            try:
+++                utils.systemctl_daemon_reload()
+++            except subprocess.CalledProcessError as e:
+++                logging.warning(e)
++         # FIXME: os.execv(argv[0], argv) would be better but fails coverage
++-        sys.exit(subprocess.call(argv))
+++        sys.exit(res)
++diff --git a/netplan_cli/cli/utils.py b/netplan_cli/cli/utils.py
++index f913630..237e006 100644
++--- a/netplan_cli/cli/utils.py
+++++ b/netplan_cli/cli/utils.py
++@@ -160,7 +160,7 @@ def systemctl_is_installed(unit_pattern):
++
++ def systemctl_daemon_reload():
++     '''Reload systemd unit files from disk and re-calculate its dependencies'''
++-    subprocess.check_call(['systemctl', 'daemon-reload'])
+++    subprocess.check_call(['systemctl', 'daemon-reload', '--no-ask-password'])
++
++
++ def ip_addr_flush(iface):
++diff --git a/tests/cli_legacy.py b/tests/cli_legacy.py
++index 897043e..decde81 100755
++--- a/tests/cli_legacy.py
+++++ b/tests/cli_legacy.py
++@@ -98,8 +98,7 @@ class TestGenerate(unittest.TestCase):
++     enlol: {dhcp4: yes}''')
++         os.chmod(path_a, mode=0o600)
++         os.chmod(path_b, mode=0o600)
++-        out = subprocess.check_output(exe_cli + ['generate', '--root-dir', self.workdir.name], stderr=subprocess.STDOUT)
++-        self.assertEqual(out, b'')
+++        subprocess.check_call(exe_cli + ['generate', '--root-dir', self.workdir.name])
++         self.assertEqual(os.listdir(os.path.join(self.workdir.name, 'run', 'systemd', 'network')),
++                          ['10-netplan-enlol.network'])
++
++diff --git a/tests/test_utils.py b/tests/test_utils.py
++index eefd334..37cf262 100644
++--- a/tests/test_utils.py
+++++ b/tests/test_utils.py
++@@ -380,7 +380,7 @@ class TestUtils(unittest.TestCase):
++         os.environ['PATH'] = os.path.dirname(self.mock_cmd.path) + os.pathsep + path_env
++         utils.systemctl_daemon_reload()
++         self.assertEqual(self.mock_cmd.calls(), [
++-            ['systemctl', 'daemon-reload']
+++            ['systemctl', 'daemon-reload', '--no-ask-password']
++         ])
++
++     def test_ip_addr_flush(self):
 diff --git a/debian/patches/lp2065738/0013-libnetplan-use-more-restrictive-file-permissions.patch b/debian/patches/lp2065738/0013-libnetplan-use-more-restrictive-file-permissions.patch
 new file mode 100644
 index 0000000..9ebce53
 --- /dev/null
 +++ b/debian/patches/lp2065738/0013-libnetplan-use-more-restrictive-file-permissions.patch
@@ -0,0 +1,435 @@
++From: Danilo Egea Gondolfo <danilogondolfo@gmail.com>
++Date: Wed, 22 May 2024 15:44:16 +0100
++Subject: libnetplan: use more restrictive file permissions
++
++A new util.c:_netplan_g_string_free_to_file_with_permissions() was added
++and accepts the owner, group and file mode as arguments. When these
++properties can't be set, when the generator is called by a non-root user
++for example, it will not hard-fail. This function is called by unit
++tests where we can't set the owner to a privileged account for example.
++
++When generating backend files, use more restrictive permissions:
++
++networkd related files will be owned by root:systemd-network and have
++mode 0640.
++
++service unit files will be owned by root:root and have mode 0640.
++udevd files will be owned by root:root with mode 0640.
++
++wpa_supplicant and Network Manager files will continue with the existing
++permissions.
++
++Autopkgtests will check if the permissions are set as expected when
++calling the generator.
++
++This fix addresses CVE-2022-4968
++---
++ src/networkd.c                | 36 ++++--------------
++ src/networkd.h                |  2 +
++ src/nm.c                      |  4 +-
++ src/openvswitch.c             |  2 +-
++ src/sriov.c                   |  2 +-
++ src/util-internal.h           |  3 ++
++ src/util.c                    | 46 +++++++++++++++++++++++
++ tests/generator/test_auth.py  |  2 +-
++ tests/generator/test_wifis.py |  2 +-
++ tests/integration/base.py     | 85 +++++++++++++++++++++++++++++++++++++++++++
++ 10 files changed, 149 insertions(+), 35 deletions(-)
++
++diff --git a/src/networkd.c b/src/networkd.c
++index 5554c99..1677381 100644
++--- a/src/networkd.c
+++++ b/src/networkd.c
++@@ -222,7 +222,6 @@ static void
++ write_link_file(const NetplanNetDefinition* def, const char* rootdir, const char* path)
++ {
++     GString* s = NULL;
++-    mode_t orig_umask;
++
++     /* Don't write .link files for virtual devices; they use .netdev instead.
++      * Don't write .link files for MODEM devices, as they aren't supported by networkd.
++@@ -284,9 +283,7 @@ write_link_file(const NetplanNetDefinition* def, const char* rootdir, const char
++         g_string_append_printf(s, "LargeReceiveOffload=%s\n",
++         (def->large_receive_offload ? "true" : "false"));
++
++-    orig_umask = umask(022);
++-    g_string_free_to_file(s, rootdir, path, ".link");
++-    umask(orig_umask);
+++    _netplan_g_string_free_to_file_with_permissions(s, rootdir, path, ".link", "root", "root", 0640);
++ }
++
++ static gboolean
++@@ -304,7 +301,7 @@ write_regdom(const NetplanNetDefinition* def, const char* rootdir, GError** erro
++     g_string_append(s, "\n[Service]\nType=oneshot\n");
++     g_string_append_printf(s, "ExecStart="SBINDIR"/iw reg set %s\n", def->regulatory_domain);
++
++-    g_string_free_to_file(s, rootdir, path, NULL);
+++    _netplan_g_string_free_to_file_with_permissions(s, rootdir, path, NULL, "root", "root", 0640);
++     safe_mkdir_p_dir(link);
++     if (symlink(path, link) < 0 && errno != EEXIST) {
++         // LCOV_EXCL_START
++@@ -484,7 +481,6 @@ static void
++ write_netdev_file(const NetplanNetDefinition* def, const char* rootdir, const char* path)
++ {
++     GString* s = NULL;
++-    mode_t orig_umask;
++
++     g_assert(def->type >= NETPLAN_DEF_TYPE_VIRTUAL);
++
++@@ -580,11 +576,7 @@ write_netdev_file(const NetplanNetDefinition* def, const char* rootdir, const ch
++         default: g_assert_not_reached(); // LCOV_EXCL_LINE
++     }
++
++-    /* these do not contain secrets and need to be readable by
++-     * systemd-networkd - LP: #1736965 */
++-    orig_umask = umask(022);
++-    g_string_free_to_file(s, rootdir, path, ".netdev");
++-    umask(orig_umask);
+++    _netplan_g_string_free_to_file_with_permissions(s, rootdir, path, ".netdev", "root", NETWORKD_GROUP, 0640);
++ }
++
++ static void
++@@ -728,7 +720,6 @@ netplan_netdef_write_network_file(
++     g_autoptr(GString) network = NULL;
++     g_autoptr(GString) link = NULL;
++     GString* s = NULL;
++-    mode_t orig_umask;
++     gboolean is_optional = def->optional;
++
++     SET_OPT_OUT_PTR(has_been_written, FALSE);
++@@ -979,11 +970,7 @@ netplan_netdef_write_network_file(
++         if (network->len > 0)
++             g_string_append_printf(s, "\n[Network]\n%s", network->str);
++
++-        /* these do not contain secrets and need to be readable by
++-         * systemd-networkd - LP: #1736965 */
++-        orig_umask = umask(022);
++-        g_string_free_to_file(s, rootdir, path, ".network");
++-        umask(orig_umask);
+++        _netplan_g_string_free_to_file_with_permissions(s, rootdir, path, ".network", "root", NETWORKD_GROUP, 0640);
++     }
++
++     SET_OPT_OUT_PTR(has_been_written, TRUE);
++@@ -995,7 +982,6 @@ write_rules_file(const NetplanNetDefinition* def, const char* rootdir)
++ {
++     GString* s = NULL;
++     g_autofree char* path = g_strjoin(NULL, "run/udev/rules.d/99-netplan-", def->id, ".rules", NULL);
++-    mode_t orig_umask;
++
++     /* do we need to write a .rules file?
++      * It's only required for reliably setting the name of a physical device
++@@ -1029,9 +1015,7 @@ write_rules_file(const NetplanNetDefinition* def, const char* rootdir)
++
++     g_string_append_printf(s, "NAME=\"%s\"\n", def->set_name);
++
++-    orig_umask = umask(022);
++-    g_string_free_to_file(s, rootdir, path, NULL);
++-    umask(orig_umask);
+++    _netplan_g_string_free_to_file_with_permissions(s, rootdir, path, NULL, "root", "root", 0640);
++ }
++
++ static gboolean
++@@ -1180,7 +1164,6 @@ static void
++ write_wpa_unit(const NetplanNetDefinition* def, const char* rootdir)
++ {
++     g_autofree gchar *stdouth = NULL;
++-    mode_t orig_umask;
++
++     stdouth = systemd_escape(def->id);
++
++@@ -1199,9 +1182,7 @@ write_wpa_unit(const NetplanNetDefinition* def, const char* rootdir)
++     } else {
++         g_string_append(s, " -Dnl80211,wext\n");
++     }
++-    orig_umask = umask(022);
++-    g_string_free_to_file(s, rootdir, path, NULL);
++-    umask(orig_umask);
+++    _netplan_g_string_free_to_file_with_permissions(s, rootdir, path, NULL, "root", "root", 0640);
++ }
++
++ static gboolean
++@@ -1210,7 +1191,6 @@ write_wpa_conf(const NetplanNetDefinition* def, const char* rootdir, GError** er
++     GHashTableIter iter;
++     GString* s = g_string_new("ctrl_interface=/run/wpa_supplicant\n\n");
++     g_autofree char* path = g_strjoin(NULL, "run/netplan/wpa-", def->id, ".conf", NULL);
++-    mode_t orig_umask;
++
++     g_debug("%s: Creating wpa_supplicant configuration file %s", def->id, path);
++     if (def->type == NETPLAN_DEF_TYPE_WIFI) {
++@@ -1299,9 +1279,7 @@ write_wpa_conf(const NetplanNetDefinition* def, const char* rootdir, GError** er
++     }
++
++     /* use tight permissions as this contains secrets */
++-    orig_umask = umask(077);
++-    g_string_free_to_file(s, rootdir, path, NULL);
++-    umask(orig_umask);
+++    _netplan_g_string_free_to_file_with_permissions(s, rootdir, path, NULL, "root", "root", 0600);
++     return TRUE;
++ }
++
++diff --git a/src/networkd.h b/src/networkd.h
++index a7092b2..0214e43 100644
++--- a/src/networkd.h
+++++ b/src/networkd.h
++@@ -20,6 +20,8 @@
++ #include "netplan.h"
++ #include <glib.h>
++
+++#define NETWORKD_GROUP "systemd-network"
+++
++ NETPLAN_INTERNAL gboolean
++ netplan_netdef_write_networkd(
++         const NetplanState* np_state,
++diff --git a/src/nm.c b/src/nm.c
++index 4d6f1fe..d5dad98 100644
++--- a/src/nm.c
+++++ b/src/nm.c
++@@ -1149,13 +1149,13 @@ netplan_state_finish_nm_write(
++
++     /* write generated NetworkManager drop-in config */
++     if (nm_conf->len > 0)
++-        g_string_free_to_file(nm_conf, rootdir, "run/NetworkManager/conf.d/netplan.conf", NULL);
+++        _netplan_g_string_free_to_file_with_permissions(nm_conf, rootdir, "run/NetworkManager/conf.d/netplan.conf", NULL, "root", "root", 0640);
++     else
++         g_string_free(nm_conf, TRUE);
++
++     /* write generated udev rules */
++     if (udev_rules->len > 0)
++-        g_string_free_to_file(udev_rules, rootdir, "run/udev/rules.d/90-netplan.rules", NULL);
+++        _netplan_g_string_free_to_file_with_permissions(udev_rules, rootdir, "run/udev/rules.d/90-netplan.rules", NULL, "root", "root", 0640);
++     else
++         g_string_free(udev_rules, TRUE);
++
++diff --git a/src/openvswitch.c b/src/openvswitch.c
++index d4af861..276762e 100644
++--- a/src/openvswitch.c
+++++ b/src/openvswitch.c
++@@ -62,7 +62,7 @@ write_ovs_systemd_unit(const char* id, const GString* cmds, const char* rootdir,
++     g_string_append(s, "\n[Service]\nType=oneshot\nTimeoutStartSec=10s\n");
++     g_string_append(s, cmds->str);
++
++-    g_string_free_to_file(s, rootdir, path, NULL);
+++    _netplan_g_string_free_to_file_with_permissions(s, rootdir, path, NULL, "root", "root", 0640);
++
++     safe_mkdir_p_dir(link);
++     if (symlink(path, link) < 0 && errno != EEXIST) {
++diff --git a/src/sriov.c b/src/sriov.c
++index f8117f7..c3cd80d 100644
++--- a/src/sriov.c
+++++ b/src/sriov.c
++@@ -53,7 +53,7 @@ write_sriov_rebind_systemd_unit(GHashTable* pfs, const char* rootdir, GError** e
++     g_string_truncate(interfaces, interfaces->len-1); /* cut trailing whitespace */
++     g_string_append_printf(s, "ExecStart=" SBINDIR "/netplan rebind %s\n", interfaces->str);
++
++-    g_string_free_to_file(s, rootdir, path, NULL);
+++    _netplan_g_string_free_to_file_with_permissions(s, rootdir, path, NULL, "root", "root", 0640);
++     g_string_free(interfaces, TRUE);
++
++     safe_mkdir_p_dir(link);
++diff --git a/src/util-internal.h b/src/util-internal.h
++index fe41c77..b30745b 100644
++--- a/src/util-internal.h
+++++ b/src/util-internal.h
++@@ -40,6 +40,9 @@ safe_mkdir_p_dir(const char* file_path);
++ NETPLAN_INTERNAL void
++ g_string_free_to_file(GString* s, const char* rootdir, const char* path, const char* suffix);
++
+++void
+++_netplan_g_string_free_to_file_with_permissions(GString* s, const char* rootdir, const char* path, const char* suffix, const char* owner, const char* group, mode_t mode);
+++
++ NETPLAN_INTERNAL void
++ unlink_glob(const char* rootdir, const char* _glob);
++
++diff --git a/src/util.c b/src/util.c
++index cbd5ac2..edecdab 100644
++--- a/src/util.c
+++++ b/src/util.c
++@@ -22,6 +22,9 @@
++ #include <errno.h>
++ #include <string.h>
++ #include <sys/mman.h>
+++#include <sys/types.h>
+++#include <pwd.h>
+++#include <grp.h>
++
++ #include <glib.h>
++ #include <glib/gprintf.h>
++@@ -87,6 +90,49 @@ void g_string_free_to_file(GString* s, const char* rootdir, const char* path, co
++     }
++ }
++
+++void _netplan_g_string_free_to_file_with_permissions(GString* s, const char* rootdir, const char* path, const char* suffix, const char* owner, const char* group, mode_t mode)
+++{
+++    g_autofree char* full_path = NULL;
+++    g_autofree char* path_suffix = NULL;
+++    g_autofree char* contents = g_string_free(s, FALSE);
+++    GError* error = NULL;
+++    struct passwd* pw = NULL;
+++    struct group* gr = NULL;
+++    int ret = 0;
+++
+++    path_suffix = g_strjoin(NULL, path, suffix, NULL);
+++    full_path = g_build_path(G_DIR_SEPARATOR_S, rootdir ?: G_DIR_SEPARATOR_S, path_suffix, NULL);
+++    safe_mkdir_p_dir(full_path);
+++    if (!g_file_set_contents_full(full_path, contents, -1, G_FILE_SET_CONTENTS_CONSISTENT | G_FILE_SET_CONTENTS_ONLY_EXISTING, mode, &error)) {
+++        /* the mkdir() just succeeded, there is no sensible
+++         * method to test this without root privileges, bind mounts, and
+++         * simulating ENOSPC */
+++        // LCOV_EXCL_START
+++        g_fprintf(stderr, "ERROR: cannot create file %s: %s\n", path, error->message);
+++        exit(1);
+++        // LCOV_EXCL_STOP
+++    }
+++
+++    /* Here we take the owner and group names and look up for their IDs in the passwd and group files.
+++     * It's OK to fail to set the owners and mode as this code will be called from unit tests.
+++     * The autopkgtests will check if the owner/group and mode are correctly set.
+++     */
+++    pw = getpwnam(owner);
+++    if (!pw) {
+++        g_debug("Failed to determine the UID of user %s: %s", owner, strerror(errno)); // LCOV_EXCL_LINE
+++    }
+++    gr = getgrnam(group);
+++    if (!gr) {
+++        g_debug("Failed to determine the GID of group %s: %s", group, strerror(errno)); // LCOV_EXCL_LINE
+++    }
+++    if (pw && gr) {
+++        ret = chown(full_path, pw->pw_uid, gr->gr_gid);
+++        if (ret != 0) {
+++            g_debug("Failed to set owner and group for file %s: %s", full_path, strerror(errno));
+++        }
+++    }
+++}
+++
++ /**
++  * Remove all files matching given glob.
++  */
++diff --git a/tests/generator/test_auth.py b/tests/generator/test_auth.py
++index de23adb..d3d886c 100644
++--- a/tests/generator/test_auth.py
+++++ b/tests/generator/test_auth.py
++@@ -226,7 +226,7 @@ network={
++
++         with open(os.path.join(self.workdir.name, 'run/systemd/system/netplan-wpa-eth0.service')) as f:
++             self.assertEqual(f.read(), SD_WPA % {'iface': 'eth0', 'drivers': 'wired'})
++-            self.assertEqual(stat.S_IMODE(os.fstat(f.fileno()).st_mode), 0o644)
+++            self.assertEqual(stat.S_IMODE(os.fstat(f.fileno()).st_mode), 0o640)
++         self.assertTrue(os.path.islink(os.path.join(
++             self.workdir.name, 'run/systemd/system/systemd-networkd.service.wants/netplan-wpa-eth0.service')))
++
++diff --git a/tests/generator/test_wifis.py b/tests/generator/test_wifis.py
++index b875172..610782a 100644
++--- a/tests/generator/test_wifis.py
+++++ b/tests/generator/test_wifis.py
++@@ -140,7 +140,7 @@ network={
++             self.workdir.name, 'run/systemd/system/netplan-wpa-wl0.service')))
++         with open(os.path.join(self.workdir.name, 'run/systemd/system/netplan-wpa-wl0.service')) as f:
++             self.assertEqual(f.read(), SD_WPA % {'iface': 'wl0', 'drivers': 'nl80211,wext'})
++-            self.assertEqual(stat.S_IMODE(os.fstat(f.fileno()).st_mode), 0o644)
+++            self.assertEqual(stat.S_IMODE(os.fstat(f.fileno()).st_mode), 0o640)
++         self.assertTrue(os.path.islink(os.path.join(
++             self.workdir.name, 'run/systemd/system/systemd-networkd.service.wants/netplan-wpa-wl0.service')))
++
++diff --git a/tests/integration/base.py b/tests/integration/base.py
++index 81e8420..948b1c5 100644
++--- a/tests/integration/base.py
+++++ b/tests/integration/base.py
++@@ -32,6 +32,8 @@ import shutil
++ import gi
++ import glob
++ import json
+++import pwd
+++import grp
++
++ # make sure we point to libnetplan properly.
++ os.environ.update({'LD_LIBRARY_PATH': '.:{}'.format(os.environ.get('LD_LIBRARY_PATH'))})
++@@ -367,6 +369,89 @@ class IntegrationTestsBase(unittest.TestCase):
++             if state:
++                 self.wait_output(['ip', 'addr', 'show', iface], state, 30)
++
+++        # Assert file permissions
+++        self.assert_file_permissions()
+++
+++    def assert_file_permissions(self):
+++        """ Check if the generated files have the expected permissions """
+++
+++        nd_expected_mode = 0o100640
+++        nd_expected_owner = 'root'
+++        nd_expected_group = 'systemd-network'
+++
+++        sd_expected_mode = 0o100640
+++        sd_expected_owner = 'root'
+++        sd_expected_group = 'root'
+++
+++        udev_expected_mode = 0o100640
+++        udev_expected_owner = 'root'
+++        udev_expected_group = 'root'
+++
+++        nm_expected_mode = 0o100600
+++        nm_expected_owner = 'root'
+++        nm_expected_group = 'root'
+++
+++        wpa_expected_mode = 0o100600
+++        wpa_expected_owner = 'root'
+++        wpa_expected_group = 'root'
+++
+++        # Check systemd-networkd files
+++        base_path = '/run/systemd/network'
+++        files = glob.glob(f'{base_path}/*.network') + glob.glob(f'{base_path}/*.netdev')
+++        for file in files:
+++            res = os.stat(file)
+++            user = pwd.getpwuid(res.st_uid)
+++            group = grp.getgrgid(res.st_gid)
+++            self.assertEqual(res.st_mode, nd_expected_mode, f'file {file}')
+++            self.assertEqual(user.pw_name, nd_expected_owner, f'file {file}')
+++            self.assertEqual(group.gr_name, nd_expected_group, f'file {file}')
+++
+++        # Check Network Manager files
+++        base_path = '/run/NetworkManager/system-connections'
+++        files = glob.glob(f'{base_path}/*.nmconnection')
+++        for file in files:
+++            res = os.stat(file)
+++            user = pwd.getpwuid(res.st_uid)
+++            group = grp.getgrgid(res.st_gid)
+++            self.assertEqual(res.st_mode, nm_expected_mode, f'file {file}')
+++            self.assertEqual(user.pw_name, nm_expected_owner, f'file {file}')
+++            self.assertEqual(group.gr_name, nm_expected_group, f'file {file}')
+++
+++        # Check wpa_supplicant configuration files
+++        base_path = '/run/netplan'
+++        files = glob.glob(f'{base_path}/wpa-*.conf')
+++        for file in files:
+++            res = os.stat(file)
+++            user = pwd.getpwuid(res.st_uid)
+++            group = grp.getgrgid(res.st_gid)
+++            self.assertEqual(res.st_mode, wpa_expected_mode, f'file {file}')
+++            self.assertEqual(user.pw_name, wpa_expected_owner, f'file {file}')
+++            self.assertEqual(group.gr_name, wpa_expected_group, f'file {file}')
+++
+++        # Check systemd service unit files
+++        base_path = '/run/systemd/system/'
+++        files = glob.glob(f'{base_path}/netplan-*.service')
+++        files += glob.glob(f'{base_path}/systemd-networkd-wait-online.service.d/*.conf')
+++        for file in files:
+++            res = os.stat(file)
+++            user = pwd.getpwuid(res.st_uid)
+++            group = grp.getgrgid(res.st_gid)
+++            self.assertEqual(res.st_mode, sd_expected_mode, f'file {file}')
+++            self.assertEqual(user.pw_name, sd_expected_owner, f'file {file}')
+++            self.assertEqual(group.gr_name, sd_expected_group, f'file {file}')
+++
+++        # Check systemd-udevd files
+++        udev_path = '/run/udev/rules.d'
+++        link_path = '/run/systemd/network'
+++        files = glob.glob(f'{udev_path}/*-netplan*.rules') + glob.glob(f'{link_path}/*.link')
+++        for file in files:
+++            res = os.stat(file)
+++            user = pwd.getpwuid(res.st_uid)
+++            group = grp.getgrgid(res.st_gid)
+++            self.assertEqual(res.st_mode, udev_expected_mode, f'file {file}')
+++            self.assertEqual(user.pw_name, udev_expected_owner, f'file {file}')
+++            self.assertEqual(group.gr_name, udev_expected_group, f'file {file}')
+++
++     def state(self, iface, state):
++         '''Tell generate_and_settle() to wait for a specific state'''
++         return iface + '/' + state
 diff --git a/debian/patches/lp2066258/0014-libnetplan-escape-control-characters.patch b/debian/patches/lp2066258/0014-libnetplan-escape-control-characters.patch
 new file mode 100644
 index 0000000..5c7cad8
 --- /dev/null
 +++ b/debian/patches/lp2066258/0014-libnetplan-escape-control-characters.patch
@@ -0,0 +1,863 @@
++From: Danilo Egea Gondolfo <danilogondolfo@gmail.com>
++Date: Wed, 29 May 2024 14:50:55 +0100
++Subject: libnetplan: escape control characters
++
++Control characters are escaped in the parser using glib's g_strescape.
++Quotes and backslashes were added to the list of exception.
++
++In places where double quotes are not escaped, such as netdef IDs as it
++is allowed as interface names, they are escaped as needed when
++generating back end configuration.
++
++To support escaping in wpa_supplicant configuration, the syntax for
++setting the SSID was changed to 'ssid=P"string here"'. With that,
++escaping is support in a printf-style.
++---
++ src/networkd.c                 | 32 ++++++++++-----
++ src/nm.c                       | 21 ++++++----
++ src/parse.c                    | 92 +++++++++++++++++++++++++++---------------
++ src/util-internal.h            |  3 ++
++ src/util.c                     | 11 +++++
++ tests/generator/test_auth.py   | 20 ++++-----
++ tests/generator/test_common.py | 42 +++++++++++++++++--
++ tests/generator/test_wifis.py  | 78 ++++++++++++++++++++++++++---------
++ 8 files changed, 216 insertions(+), 83 deletions(-)
++
++diff --git a/src/networkd.c b/src/networkd.c
++index 1677381..ac54112 100644
++--- a/src/networkd.c
+++++ b/src/networkd.c
++@@ -1005,7 +1005,8 @@ write_rules_file(const NetplanNetDefinition* def, const char* rootdir)
++     g_string_append(s, "SUBSYSTEM==\"net\", ACTION==\"add\", ");
++
++     if (def->match.driver) {
++-        g_string_append_printf(s,"DRIVERS==\"%s\", ", def->match.driver);
+++        g_autofree char* driver = _netplan_scrub_string(def->match.driver);
+++        g_string_append_printf(s,"DRIVERS==\"%s\", ", driver);
++     } else {
++         g_string_append(s, "DRIVERS==\"?*\", ");
++     }
++@@ -1013,7 +1014,8 @@ write_rules_file(const NetplanNetDefinition* def, const char* rootdir)
++     if (def->match.mac)
++         g_string_append_printf(s, "ATTR{address}==\"%s\", ", def->match.mac);
++
++-    g_string_append_printf(s, "NAME=\"%s\"\n", def->set_name);
+++    g_autofree char* set_name = _netplan_scrub_string(def->set_name);
+++    g_string_append_printf(s, "NAME=\"%s\"\n", set_name);
++
++     _netplan_g_string_free_to_file_with_permissions(s, rootdir, path, NULL, "root", "root", 0640);
++ }
++@@ -1101,10 +1103,12 @@ append_wpa_auth_conf(GString* s, const NetplanAuthenticationSettings* auth, cons
++     }
++
++     if (auth->identity) {
++-        g_string_append_printf(s, "  identity=\"%s\"\n", auth->identity);
+++        g_autofree char* identity = _netplan_scrub_string(auth->identity);
+++        g_string_append_printf(s, "  identity=\"%s\"\n", identity);
++     }
++     if (auth->anonymous_identity) {
++-        g_string_append_printf(s, "  anonymous_identity=\"%s\"\n", auth->anonymous_identity);
+++        g_autofree char* anonymous_identity = _netplan_scrub_string(auth->anonymous_identity);
+++        g_string_append_printf(s, "  anonymous_identity=\"%s\"\n", anonymous_identity);
++     }
++
++     char* psk = NULL;
++@@ -1142,19 +1146,23 @@ append_wpa_auth_conf(GString* s, const NetplanAuthenticationSettings* auth, cons
++         }
++     }
++     if (auth->ca_certificate) {
++-        g_string_append_printf(s, "  ca_cert=\"%s\"\n", auth->ca_certificate);
+++        g_autofree char* ca_certificate = _netplan_scrub_string(auth->ca_certificate);
+++        g_string_append_printf(s, "  ca_cert=\"%s\"\n", ca_certificate);
++     }
++     if (auth->client_certificate) {
++-        g_string_append_printf(s, "  client_cert=\"%s\"\n", auth->client_certificate);
+++        g_autofree char* client_certificate = _netplan_scrub_string(auth->client_certificate);
+++        g_string_append_printf(s, "  client_cert=\"%s\"\n", client_certificate);
++     }
++     if (auth->client_key) {
++-        g_string_append_printf(s, "  private_key=\"%s\"\n", auth->client_key);
+++        g_autofree char* client_key = _netplan_scrub_string(auth->client_key);
+++        g_string_append_printf(s, "  private_key=\"%s\"\n", client_key);
++     }
++     if (auth->client_key_password) {
++         g_string_append_printf(s, "  private_key_passwd=\"%s\"\n", auth->client_key_password);
++     }
++     if (auth->phase2_auth) {
++-        g_string_append_printf(s, "  phase2=\"auth=%s\"\n", auth->phase2_auth);
+++        g_autofree char* phase2_auth = _netplan_scrub_string(auth->phase2_auth);
+++        g_string_append_printf(s, "  phase2=\"auth=%s\"\n", phase2_auth);
++     }
++     return TRUE;
++ }
++@@ -1203,14 +1211,16 @@ write_wpa_conf(const NetplanNetDefinition* def, const char* rootdir, GError** er
++         }
++         /* available as of wpa_supplicant version 0.6.7 */
++         if (def->regulatory_domain) {
++-            g_string_append_printf(s, "country=%s\n", def->regulatory_domain);
+++            g_autofree char* regdom = _netplan_scrub_string(def->regulatory_domain);
+++            g_string_append_printf(s, "country=%s\n", regdom);
++         }
++         NetplanWifiAccessPoint* ap;
++         g_hash_table_iter_init(&iter, def->access_points);
++         while (g_hash_table_iter_next(&iter, NULL, (gpointer) &ap)) {
++             gchar* freq_config_str = ap->mode == NETPLAN_WIFI_MODE_ADHOC ? "frequency" : "freq_list";
+++            g_autofree char* ssid = _netplan_scrub_string(ap->ssid);
++
++-            g_string_append_printf(s, "network={\n  ssid=\"%s\"\n", ap->ssid);
+++            g_string_append_printf(s, "network={\n  ssid=P\"%s\"\n", ssid);
++             if (ap->bssid) {
++                 g_string_append_printf(s, "  bssid=%s\n", ap->bssid);
++             }
++@@ -1257,7 +1267,7 @@ write_wpa_conf(const NetplanNetDefinition* def, const char* rootdir, GError** er
++
++             /* wifi auth trumps netdef auth */
++             if (ap->has_auth) {
++-                if (!append_wpa_auth_conf(s, &ap->auth, ap->ssid, error)) {
+++                if (!append_wpa_auth_conf(s, &ap->auth, ssid, error)) {
++                     g_string_free(s, TRUE);
++                     return FALSE;
++                 }
++diff --git a/src/nm.c b/src/nm.c
++index d5dad98..a605c38 100644
++--- a/src/nm.c
+++++ b/src/nm.c
++@@ -1081,28 +1081,30 @@ netplan_state_finish_nm_write(
++         GString *tmp = NULL;
++         guint unmanaged = nd->backend == NETPLAN_BACKEND_NM ? 0 : 1;
++
+++        g_autofree char* netdef_id = _netplan_scrub_string(nd->id);
++         /* Special case: manage or ignore any device of given type on empty "match: {}" stanza */
++         if (nd->has_match && !nd->match.driver && !nd->match.mac && !nd->match.original_name) {
++             nm_type = type_str(nd);
++             g_assert(nm_type);
++             g_string_append_printf(nm_conf, "[device-netplan.%s.%s]\nmatch-device=type:%s\n"
++                                             "managed=%d\n\n", netplan_def_type_name(nd->type),
++-                                            nd->id, nm_type, !unmanaged);
+++                                            netdef_id, nm_type, !unmanaged);
++         }
++         /* Normal case: manage or ignore devices by specific udev rules */
++         else {
++             const gchar *prefix = "SUBSYSTEM==\"net\", ACTION==\"add|change|move\",";
++             const gchar *suffix = nd->backend == NETPLAN_BACKEND_NM ? " ENV{NM_UNMANAGED}=\"0\"\n" : " ENV{NM_UNMANAGED}=\"1\"\n";
++             g_string_append_printf(udev_rules, "# netplan: network.%s.%s (on NetworkManager %s)\n",
++-                                   netplan_def_type_name(nd->type), nd->id,
+++                                   netplan_def_type_name(nd->type), netdef_id,
++                                    unmanaged ? "deny-list" : "allow-list");
++             /* Match by explicit interface name, if possible */
++             if (nd->set_name) {
++                 // simple case: explicit new interface name
++-                g_string_append_printf(udev_rules, "%s ENV{ID_NET_NAME}==\"%s\",%s", prefix, nd->set_name, suffix);
+++                g_autofree char* set_name = _netplan_scrub_string(nd->set_name);
+++                g_string_append_printf(udev_rules, "%s ENV{ID_NET_NAME}==\"%s\",%s", prefix, set_name, suffix);
++             } else if (!nd->has_match) {
++                 // simple case: explicit netplan ID is interface name
++-                g_string_append_printf(udev_rules, "%s ENV{ID_NET_NAME}==\"%s\",%s", prefix, nd->id, suffix);
+++                g_string_append_printf(udev_rules, "%s ENV{ID_NET_NAME}==\"%s\",%s", prefix, netdef_id, suffix);
++             }
++             /* Also, match by explicit (new) MAC, if available */
++             if (nd->set_mac) {
++@@ -1118,9 +1120,10 @@ netplan_state_finish_nm_write(
++                 // match on original name glob
++                 // TODO: maybe support matching on multiple name globs in the future (like drivers)
++                 g_string_append(udev_rules, prefix);
++-                if (nd->match.original_name)
++-                    g_string_append_printf(udev_rules, " ENV{ID_NET_NAME}==\"%s\",", nd->match.original_name);
++-
+++                if (nd->match.original_name) {
+++                    g_autofree char* original_name = _netplan_scrub_string(nd->match.original_name);
+++                    g_string_append_printf(udev_rules, " ENV{ID_NET_NAME}==\"%s\",", original_name);
+++                }
++                 // match on (explicit) MAC address. Yes this would be unique on its own, but we
++                 // keep it within the "full match" to make the logic more comprehensible.
++                 if (nd->match.mac) {
++@@ -1138,7 +1141,9 @@ netplan_state_finish_nm_write(
++                         g_strfreev(split);
++                     } else
++                         drivers = g_strdup(nd->match.driver);
++-                    g_string_append_printf(udev_rules, " ENV{ID_NET_DRIVER}==\"%s\",", drivers);
+++
+++                    g_autofree char* escaped_drivers = _netplan_scrub_string(drivers);
+++                    g_string_append_printf(udev_rules, " ENV{ID_NET_DRIVER}==\"%s\",", escaped_drivers);
++                     g_free(drivers);
++                 }
++                 g_string_append(udev_rules, suffix);
++diff --git a/src/parse.c b/src/parse.c
++index d70b564..e37648d 100644
++--- a/src/parse.c
+++++ b/src/parse.c
++@@ -59,6 +59,15 @@ extern NetplanState global_state;
++
++ NetplanParser global_parser = {0};
++
+++/*
+++ * We use g_strescape to escape control characters from the input.
+++ * Besides control characters, g_strescape will also escape double quotes and backslashes.
+++ * Quotes are escaped at configuration generation time as needed, as they might be part of passwords for example.
+++ * Escaping backslashes in the parser affects "netplan set" as it will always escape \'s from
+++ * the input and update YAMLs with all the \'s escaped again.
+++*/
+++static char* STRESCAPE_EXCEPTIONS = "\"\\";
+++
++ static gboolean
++ insert_kv_into_hash(void *key, void *value, void *hash);
++
++@@ -365,7 +374,7 @@ handle_generic_str(NetplanParser* npp, yaml_node_t* node, void* entryptr, const
++     guint offset = GPOINTER_TO_UINT(data);
++     char** dest = (char**) ((void*) entryptr + offset);
++     g_free(*dest);
++-    *dest = g_strdup(scalar(node));
+++    *dest = g_strescape(scalar(node), STRESCAPE_EXCEPTIONS);
++     mark_data_as_dirty(npp, dest);
++     return TRUE;
++ }
++@@ -480,22 +489,25 @@ handle_generic_map(NetplanParser *npp, yaml_node_t* node, const char* key_prefix
++         assert_type(npp, key, YAML_SCALAR_NODE);
++         assert_type(npp, value, YAML_SCALAR_NODE);
++
+++        g_autofree char* escaped_key = g_strescape(scalar(key), STRESCAPE_EXCEPTIONS);
+++        g_autofree char* escaped_value = g_strescape(scalar(value), STRESCAPE_EXCEPTIONS);
+++
++         if (key_prefix && npp->null_fields) {
++             g_autofree char* full_key = NULL;
++-            full_key = g_strdup_printf("%s\t%s", key_prefix, key->data.scalar.value);
+++            full_key = g_strdup_printf("%s\t%s", key_prefix, escaped_key);
++             if (g_hash_table_contains(npp->null_fields, full_key))
++                 continue;
++         }
++
++         char* stored_value = NULL;
++-        if (g_hash_table_lookup_extended(*map, scalar(key), NULL, (void**)&stored_value)) {
+++        if (g_hash_table_lookup_extended(*map, escaped_key, NULL, (void**)&stored_value)) {
++             /* We can safely skip this if it is the exact key/value match
++              * (probably caused by multi-pass processing) */
++-            if (g_strcmp0(stored_value, scalar(value)) == 0)
+++            if (g_strcmp0(stored_value, escaped_value) == 0)
++                 continue;
++-            return yaml_error(npp, node, error, "duplicate map entry '%s'", scalar(key));
+++            return yaml_error(npp, node, error, "duplicate map entry '%s'", escaped_key);
++         } else
++-            g_hash_table_insert(*map, g_strdup(scalar(key)), g_strdup(scalar(value)));
+++            g_hash_table_insert(*map, g_strdup(escaped_key), g_strdup(escaped_value));
++     }
++     mark_data_as_dirty(npp, map);
++
++@@ -518,20 +530,26 @@ handle_generic_datalist(NetplanParser *npp, yaml_node_t* node, const char* key_p
++     for (yaml_node_pair_t* entry = node->data.mapping.pairs.start; entry < node->data.mapping.pairs.top; entry++) {
++         yaml_node_t* key, *value;
++         g_autofree char* full_key = NULL;
+++        g_autofree char* escaped_key = NULL;
+++        g_autofree char* escaped_value = NULL;
++
++         key = yaml_document_get_node(&npp->doc, entry->key);
++         value = yaml_document_get_node(&npp->doc, entry->value);
++
++         assert_type(npp, key, YAML_SCALAR_NODE);
++         assert_type(npp, value, YAML_SCALAR_NODE);
+++
+++        escaped_key = g_strescape(scalar(key), STRESCAPE_EXCEPTIONS);
+++        escaped_value = g_strescape(scalar(value), STRESCAPE_EXCEPTIONS);
+++
++         if (npp->null_fields && key_prefix) {
++-            full_key = g_strdup_printf("%s\t%s", key_prefix, scalar(key));
+++            full_key = g_strdup_printf("%s\t%s", key_prefix, escaped_key);
++             if (g_hash_table_contains(npp->null_fields, full_key))
++                 continue;
++         }
++
++-        g_datalist_id_set_data_full(list, g_quark_from_string(scalar(key)),
++-                                    g_strdup(scalar(value)), g_free);
+++        g_datalist_id_set_data_full(list, g_quark_from_string(escaped_key),
+++                                    g_strdup(escaped_value), g_free);
++     }
++     mark_data_as_dirty(npp, list);
++
++@@ -864,13 +882,14 @@ handle_match_driver(NetplanParser* npp, yaml_node_t* node, __unused const char*
++         for (yaml_node_item_t *iter = node->data.sequence.items.start; iter < node->data.sequence.items.top; iter++) {
++             elem = yaml_document_get_node(&npp->doc, *iter);
++             assert_type(npp, elem, YAML_SCALAR_NODE);
++-            if (g_strrstr(scalar(elem), " "))
+++            g_autofree char* escaped_elem = g_strescape(scalar(elem), STRESCAPE_EXCEPTIONS);
+++            if (g_strrstr(escaped_elem, " "))
++                 return yaml_error(npp, node, error, "A 'driver' glob cannot contain whitespace");
++
++             if (!sequence)
++-                sequence = g_string_new(scalar(elem));
+++                sequence = g_string_new(escaped_elem);
++             else
++-                g_string_append_printf(sequence, "\t%s", scalar(elem)); /* tab separated */
+++                g_string_append_printf(sequence, "\t%s", escaped_elem); /* tab separated */
++         }
++
++         if (!sequence)
++@@ -902,7 +921,7 @@ handle_auth_str(NetplanParser* npp, yaml_node_t* node, const void* data, __unuse
++     guint offset = GPOINTER_TO_UINT(data);
++     char** dest = (char**) ((void*) npp->current.auth + offset);
++     g_free(*dest);
++-    *dest = g_strdup(scalar(node));
+++    *dest = g_strescape(scalar(node), STRESCAPE_EXCEPTIONS);
++     mark_data_as_dirty(npp, dest);
++     return TRUE;
++ }
++@@ -1050,7 +1069,7 @@ handle_access_point_password(NetplanParser* npp, yaml_node_t* node, __unused con
++
++     access_point->auth.pmf_mode = NETPLAN_AUTH_PMF_MODE_OPTIONAL;
++     g_free(access_point->auth.psk);
++-    access_point->auth.psk = g_strdup(scalar(node));
+++    access_point->auth.psk = g_strescape(scalar(node), STRESCAPE_EXCEPTIONS);
++     return TRUE;
++ }
++
++@@ -1434,6 +1453,7 @@ handle_wifi_access_points(NetplanParser* npp, yaml_node_t* node, const char* key
++     for (yaml_node_pair_t* entry = node->data.mapping.pairs.start; entry < node->data.mapping.pairs.top; entry++) {
++         NetplanWifiAccessPoint *access_point = NULL;
++         g_autofree char* full_key = NULL;
+++        g_autofree char* escaped_key = NULL;
++         yaml_node_t* key, *value;
++         const gchar* ssid;
++
++@@ -1442,13 +1462,15 @@ handle_wifi_access_points(NetplanParser* npp, yaml_node_t* node, const char* key
++         value = yaml_document_get_node(&npp->doc, entry->value);
++         assert_type(npp, value, YAML_MAPPING_NODE);
++
+++        escaped_key = g_strescape(scalar(key), STRESCAPE_EXCEPTIONS);
+++
++         if (key_prefix && npp->null_fields) {
++-            full_key = g_strdup_printf("%s\t%s", key_prefix, key->data.scalar.value);
+++            full_key = g_strdup_printf("%s\t%s", key_prefix, escaped_key);
++             if (g_hash_table_contains(npp->null_fields, full_key))
++                 continue;
++         }
++
++-        ssid = scalar(key);
+++        ssid = escaped_key;
++
++         /*
++          * Delete the access-point if it already exists in the netdef and let the new
++@@ -1606,15 +1628,16 @@ handle_nameservers_search(NetplanParser* npp, yaml_node_t* node, __unused const
++     for (yaml_node_item_t *i = node->data.sequence.items.start; i < node->data.sequence.items.top; i++) {
++         yaml_node_t *entry = yaml_document_get_node(&npp->doc, *i);
++         assert_type(npp, entry, YAML_SCALAR_NODE);
+++        g_autofree char* escaped_entry = g_strescape(scalar(entry), STRESCAPE_EXCEPTIONS);
++
++         if (!npp->current.netdef->search_domains)
++             npp->current.netdef->search_domains = g_array_new(FALSE, FALSE, sizeof(char*));
++
++-        if (!is_string_in_array(npp->current.netdef->search_domains, scalar(entry))) {
++-            char* s = g_strdup(scalar(entry));
+++        if (!is_string_in_array(npp->current.netdef->search_domains, escaped_entry)) {
+++            char* s = g_strdup(escaped_entry);
++             g_array_append_val(npp->current.netdef->search_domains, s);
++         } else {
++-            g_debug("%s: Search domain '%s' has already been added", npp->current.netdef->id, scalar(entry));
+++            g_debug("%s: Search domain '%s' has already been added", npp->current.netdef->id, escaped_entry);
++         }
++     }
++     mark_data_as_dirty(npp, &npp->current.netdef->search_domains);
++@@ -2720,19 +2743,19 @@ handle_ovs_bridge_controller_addresses(NetplanParser* npp, yaml_node_t* node, __
++
++         /* Format: [p]unix:file */
++         if (is_unix && vec[1] != NULL && vec[2] == NULL) {
++-            char* s = g_strdup(scalar(entry));
+++            char* s = g_strescape(scalar(entry), STRESCAPE_EXCEPTIONS);
++             g_array_append_val(npp->current.netdef->ovs_settings.controller.addresses, s);
++             g_strfreev(vec);
++             continue;
++         /* Format tcp:host[:port] or ssl:host[:port] */
++         } else if (is_host && validate_ovs_target(TRUE, vec[1])) {
++-            char* s = g_strdup(scalar(entry));
+++            char* s = g_strescape(scalar(entry), STRESCAPE_EXCEPTIONS);
++             g_array_append_val(npp->current.netdef->ovs_settings.controller.addresses, s);
++             g_strfreev(vec);
++             continue;
++         /* Format ptcp:[port][:host] or pssl:[port][:host] */
++         } else if (is_port && validate_ovs_target(FALSE, vec[1])) {
++-            char* s = g_strdup(scalar(entry));
+++            char* s = g_strescape(scalar(entry), STRESCAPE_EXCEPTIONS);
++             g_array_append_val(npp->current.netdef->ovs_settings.controller.addresses, s);
++             g_strfreev(vec);
++             continue;
++@@ -3044,6 +3067,8 @@ handle_network_ovs_settings_global_ports(NetplanParser* npp, yaml_node_t* node,
++     NetplanNetDefinition *component2 = NULL;
++
++     for (yaml_node_item_t *iter = node->data.sequence.items.start; iter < node->data.sequence.items.top; iter++) {
+++        g_autofree char* escaped_port = NULL;
+++        g_autofree char* escaped_peer = NULL;
++         pair = yaml_document_get_node(&npp->doc, *iter);
++         assert_type(npp, pair, YAML_SEQUENCE_NODE);
++
++@@ -3061,11 +3086,14 @@ handle_network_ovs_settings_global_ports(NetplanParser* npp, yaml_node_t* node,
++         if (!g_strcmp0(scalar(port), scalar(peer)))
++             return yaml_error(npp, peer, error, "Open vSwitch patch ports must be of different name");
++
+++        escaped_port = g_strescape(scalar(port), STRESCAPE_EXCEPTIONS);
+++        escaped_peer = g_strescape(scalar(peer), STRESCAPE_EXCEPTIONS);
+++
++         /* Create port 1 netdef */
++-        component1 = npp->parsed_defs ? g_hash_table_lookup(npp->parsed_defs, scalar(port)) : NULL;
+++        component1 = npp->parsed_defs ? g_hash_table_lookup(npp->parsed_defs, escaped_port) : NULL;
++         if (!component1) {
++-            component1 = netplan_netdef_new(npp, scalar(port), NETPLAN_DEF_TYPE_PORT, NETPLAN_BACKEND_OVS);
++-            if (g_hash_table_remove(npp->missing_id, scalar(port)))
+++            component1 = netplan_netdef_new(npp, escaped_port, NETPLAN_DEF_TYPE_PORT, NETPLAN_BACKEND_OVS);
+++            if (g_hash_table_remove(npp->missing_id, escaped_port))
++                 npp->missing_ids_found++;
++         }
++
++@@ -3076,15 +3104,15 @@ handle_network_ovs_settings_global_ports(NetplanParser* npp, yaml_node_t* node,
++             component1->filepath = g_strdup(npp->current.filepath);
++         }
++
++-        if (component1->peer && g_strcmp0(component1->peer, scalar(peer)))
+++        if (component1->peer && g_strcmp0(component1->peer, escaped_peer))
++             return yaml_error(npp, port, error, "Open vSwitch port '%s' is already assigned to peer '%s'",
++                               component1->id, component1->peer);
++
++         /* Create port 2 (peer) netdef */
++-        component2 = npp->parsed_defs ? g_hash_table_lookup(npp->parsed_defs, scalar(peer)) : NULL;
+++        component2 = npp->parsed_defs ? g_hash_table_lookup(npp->parsed_defs, escaped_peer) : NULL;
++         if (!component2) {
++-            component2 = netplan_netdef_new(npp, scalar(peer), NETPLAN_DEF_TYPE_PORT, NETPLAN_BACKEND_OVS);
++-            if (g_hash_table_remove(npp->missing_id, scalar(peer)))
+++            component2 = netplan_netdef_new(npp, escaped_peer, NETPLAN_DEF_TYPE_PORT, NETPLAN_BACKEND_OVS);
+++            if (g_hash_table_remove(npp->missing_id, escaped_peer))
++                 npp->missing_ids_found++;
++         }
++
++@@ -3095,16 +3123,16 @@ handle_network_ovs_settings_global_ports(NetplanParser* npp, yaml_node_t* node,
++             component2->filepath = g_strdup(npp->current.filepath);
++         }
++
++-        if (component2->peer && g_strcmp0(component2->peer, scalar(port)))
+++        if (component2->peer && g_strcmp0(component2->peer, escaped_port))
++             return yaml_error(npp, peer, error, "Open vSwitch port '%s' is already assigned to peer '%s'",
++                               component2->id, component2->peer);
++
++         if (!component1->peer) {
++-            component1->peer = g_strdup(scalar(peer));
+++            component1->peer = g_strdup(escaped_peer);
++             component1->peer_link = component2;
++         }
++         if (!component2->peer) {
++-            component2->peer = g_strdup(scalar(port));
+++            component2->peer = g_strdup(escaped_port);
++             component2->peer_link = component1;
++         }
++     }
++diff --git a/src/util-internal.h b/src/util-internal.h
++index b30745b..f6f36fc 100644
++--- a/src/util-internal.h
+++++ b/src/util-internal.h
++@@ -182,3 +182,6 @@ _netplan_netdef_pertype_iter_next(struct netdef_pertype_iter* it);
++
++ NETPLAN_INTERNAL void
++ _netplan_netdef_pertype_iter_free(struct netdef_pertype_iter* it);
+++
+++gchar*
+++_netplan_scrub_string(const char* content);
++diff --git a/src/util.c b/src/util.c
++index edecdab..d8d3a57 100644
++--- a/src/util.c
+++++ b/src/util.c
++@@ -1223,3 +1223,14 @@ _is_auth_key_management_psk(const NetplanAuthenticationSettings* auth)
++     return (   auth->key_management == NETPLAN_AUTH_KEY_MANAGEMENT_WPA_PSK
++             || auth->key_management == NETPLAN_AUTH_KEY_MANAGEMENT_WPA_SAE);
++ }
+++
+++gchar*
+++_netplan_scrub_string(const char* content)
+++{
+++    GString* s = g_string_new(content);
+++
+++    // Escape double quotes
+++    g_string_replace(s, "\"", "\\\"", 0);
+++
+++    return g_string_free(s, FALSE);
+++}
++diff --git a/tests/generator/test_auth.py b/tests/generator/test_auth.py
++index d3d886c..bf0108a 100644
++--- a/tests/generator/test_auth.py
+++++ b/tests/generator/test_auth.py
++@@ -92,21 +92,21 @@ class TestNetworkd(TestBase):
++             self.assertIn('ctrl_interface=/run/wpa_supplicant', new_config)
++             self.assertIn('''
++ network={
++-  ssid="peer2peer"
+++  ssid=P"peer2peer"
++   mode=1
++   key_mgmt=NONE
++ }
++ ''', new_config)
++             self.assertIn('''
++ network={
++-  ssid="Luke's Home"
+++  ssid=P"Luke's Home"
++   key_mgmt=WPA-PSK
++   psk="4lsos3kr1t"
++ }
++ ''', new_config)
++             self.assertIn('''
++ network={
++-  ssid="BobsHome"
+++  ssid=P"BobsHome"
++   key_mgmt=WPA-PSK WPA-PSK-SHA256 SAE
++   ieee80211w=1
++   psk=e03ce667c87bc81ca968d9120ca37f89eb09aec3c55b80386e5d772efd6b926e
++@@ -114,14 +114,14 @@ network={
++ ''', new_config)
++             self.assertIn('''
++ network={
++-  ssid="BillsHome"
+++  ssid=P"BillsHome"
++   key_mgmt=WPA-PSK
++   psk=db3b0acf5653aeaddd5fe034fb9f07175b2864f847b005aaa2f09182d9411b04
++ }
++ ''', new_config)
++             self.assertIn('''
++ network={
++-  ssid="workplace2"
+++  ssid=P"workplace2"
++   key_mgmt=WPA-EAP
++   eap=PEAP
++   identity="joe@internal.example.com"
++@@ -131,7 +131,7 @@ network={
++ ''', new_config)
++             self.assertIn('''
++ network={
++-  ssid="workplace"
+++  ssid=P"workplace"
++   key_mgmt=WPA-EAP
++   eap=TTLS
++   identity="joe@internal.example.com"
++@@ -141,7 +141,7 @@ network={
++ ''', new_config)
++             self.assertIn('''
++ network={
++-  ssid="workplacehashed"
+++  ssid=P"workplacehashed"
++   key_mgmt=WPA-EAP
++   eap=TTLS
++   identity="joe@internal.example.com"
++@@ -151,7 +151,7 @@ network={
++ ''', new_config)
++             self.assertIn('''
++ network={
++-  ssid="customernet"
+++  ssid=P"customernet"
++   key_mgmt=WPA-EAP
++   eap=TLS
++   identity="cert-joe@cust.example.com"
++@@ -164,13 +164,13 @@ network={
++ ''', new_config)
++             self.assertIn('''
++ network={
++-  ssid="opennet"
+++  ssid=P"opennet"
++   key_mgmt=NONE
++ }
++ ''', new_config)
++             self.assertIn('''
++ network={
++-  ssid="Joe's Home"
+++  ssid=P"Joe's Home"
++   key_mgmt=WPA-PSK WPA-PSK-SHA256 SAE
++   ieee80211w=1
++   psk="s0s3kr1t"
++diff --git a/tests/generator/test_common.py b/tests/generator/test_common.py
++index 785f6f4..3aab3f7 100644
++--- a/tests/generator/test_common.py
+++++ b/tests/generator/test_common.py
++@@ -19,7 +19,7 @@
++ import os
++ import textwrap
++
++-from .base import TestBase, ND_DHCP4, ND_DHCP6, ND_DHCPYES, ND_EMPTY, NM_MANAGED, NM_UNMANAGED
+++from .base import UDEV_NO_MAC_RULE, TestBase, ND_DHCP4, ND_DHCP6, ND_DHCPYES, ND_EMPTY, NM_MANAGED, NM_UNMANAGED
++
++
++ class TestNetworkd(TestBase):
++@@ -815,6 +815,18 @@ RouteMetric=100
++ UseMTU=true
++ '''})
++
+++    def test_nd_udev_rules_escaped(self):
+++        self.generate('''network:
+++  version: 2
+++  renderer: NetworkManager
+++  ethernets:
+++    def1:
+++      match:
+++        driver: "abc\\"xyz\\n0\\n\\n1"
+++      set-name: "eth\\"\\n\\nxyz\\n0"''', skip_generated_yaml_validation=True)
+++
+++        self.assert_networkd_udev({'def1.rules': (UDEV_NO_MAC_RULE % ('abc\\"xyz\\n0\\n\\n1', 'eth\\"\\n\\nxyz\\n0'))})
+++
++
++ class TestNetworkManager(TestBase):
++
++@@ -1320,6 +1332,28 @@ dns=8.8.8.8;
++ method=ignore
++ '''})
++
+++    def test_nm_udev_rules_escaped(self):
+++        self.generate('''network:
+++  version: 2
+++  renderer: networkd
+++  ethernets:
+++    eth0:
+++      match:
+++        name: "eth\\"0"
+++      dhcp4: true''')
+++        self.assert_nm_udev(NM_UNMANAGED % 'eth\\"0')
+++
+++        self.generate('''network:
+++  version: 2
+++  renderer: networkd
+++  ethernets:
+++    eth0:
+++      match:
+++        name: "eth0"
+++      set-name: "eth\\n0"
+++      dhcp4: true''', skip_generated_yaml_validation=True)
+++        self.assert_nm_udev(NM_UNMANAGED % 'eth\\n0' + NM_UNMANAGED % 'eth0')
+++
++
++ class TestForwardDeclaration(TestBase):
++
++@@ -1782,13 +1816,13 @@ LinkLocalAddressing=ipv6
++         self.assert_wpa_supplicant("wlan0", """ctrl_interface=/run/wpa_supplicant
++
++ network={
++-  ssid="mynewwifi"
+++  ssid=P"mynewwifi"
++   key_mgmt=WPA-PSK WPA-PSK-SHA256 SAE
++   ieee80211w=1
++   psk="aaaaaaaa"
++ }
++ network={
++-  ssid="mywifi"
+++  ssid=P"mywifi"
++   key_mgmt=WPA-PSK WPA-PSK-SHA256 SAE
++   ieee80211w=1
++   psk="aaaaaaaa"
++@@ -1819,7 +1853,7 @@ network={
++         self.assert_wpa_supplicant("wlan0", """ctrl_interface=/run/wpa_supplicant
++
++ network={
++-  ssid="mywifi"
+++  ssid=P"mywifi"
++   key_mgmt=WPA-PSK WPA-PSK-SHA256 SAE
++   ieee80211w=1
++   psk="bbbbbbbb"
++diff --git a/tests/generator/test_wifis.py b/tests/generator/test_wifis.py
++index 610782a..9f7359b 100644
++--- a/tests/generator/test_wifis.py
+++++ b/tests/generator/test_wifis.py
++@@ -65,7 +65,7 @@ class TestNetworkd(TestBase):
++         with open(os.path.join(self.workdir.name, 'run/netplan/wpa-wl0.conf')) as f:
++             new_config = f.read()
++
++-            network = 'ssid="{}"\n  freq_list='.format('band-no-channel2')
+++            network = 'ssid=P"{}"\n  freq_list='.format('band-no-channel2')
++             freqs_5GHz = [5610, 5310, 5620, 5320, 5630, 5640, 5340, 5035, 5040, 5045, 5055, 5060, 5660, 5680, 5670, 5080, 5690,
++                           5700, 5710, 5720, 5825, 5745, 5755, 5805, 5765, 5160, 5775, 5170, 5480, 5180, 5795, 5190, 5500, 5200,
++                           5510, 5210, 5520, 5220, 5530, 5230, 5540, 5240, 5550, 5250, 5560, 5260, 5570, 5270, 5580, 5280, 5590,
++@@ -76,7 +76,7 @@ class TestNetworkd(TestBase):
++             for freq in freqs_5GHz:
++                 self.assertRegex(new_config, '{}[ 0-9]*{}[ 0-9]*\n'.format(network, freq))
++
++-            network = 'ssid="{}"\n  freq_list='.format('band-no-channel')
+++            network = 'ssid=P"{}"\n  freq_list='.format('band-no-channel')
++             freqs_24GHz = [2412, 2417, 2422, 2427, 2432, 2442, 2447, 2437, 2452, 2457, 2462, 2467, 2472, 2484]
++             freqs = new_config.split(network)
++             freqs = freqs[1].split('\n')[0]
++@@ -86,20 +86,20 @@ class TestNetworkd(TestBase):
++
++             self.assertIn('''
++ network={
++-  ssid="channel-no-band"
+++  ssid=P"channel-no-band"
++   key_mgmt=NONE
++ }
++ ''', new_config)
++             self.assertIn('''
++ network={
++-  ssid="peer2peer"
+++  ssid=P"peer2peer"
++   mode=1
++   key_mgmt=NONE
++ }
++ ''', new_config)
++             self.assertIn('''
++ network={
++-  ssid="hidden-y"
+++  ssid=P"hidden-y"
++   scan_ssid=1
++   key_mgmt=WPA-PSK WPA-PSK-SHA256 SAE
++   ieee80211w=1
++@@ -108,7 +108,7 @@ network={
++ ''', new_config)
++             self.assertIn('''
++ network={
++-  ssid="hidden-n"
+++  ssid=P"hidden-n"
++   key_mgmt=WPA-PSK WPA-PSK-SHA256 SAE
++   ieee80211w=1
++   psk="5ecur1ty"
++@@ -116,7 +116,7 @@ network={
++ ''', new_config)
++             self.assertIn('''
++ network={
++-  ssid="workplace"
+++  ssid=P"workplace"
++   bssid=de:ad:be:ef:ca:fe
++   freq_list=5500
++   key_mgmt=WPA-PSK WPA-PSK-SHA256 SAE
++@@ -126,7 +126,7 @@ network={
++ ''', new_config)
++             self.assertIn('''
++ network={
++-  ssid="Joe's Home"
+++  ssid=P"Joe's Home"
++   bssid=00:11:22:33:44:55
++   freq_list=2462
++   key_mgmt=WPA-PSK WPA-PSK-SHA256 SAE
++@@ -303,7 +303,7 @@ LinkLocalAddressing=ipv6
++             self.assertIn('''
++ wowlan_triggers=any disconnect magic_pkt gtk_rekey_failure eap_identity_req four_way_handshake rfkill_release
++ network={
++-  ssid="homenet"
+++  ssid=P"homenet"
++   key_mgmt=NONE
++ }
++ ''', new_config)
++@@ -336,7 +336,7 @@ LinkLocalAddressing=ipv6
++             new_config = f.read()
++             self.assertIn('''
++ network={
++-  ssid="homenet"
+++  ssid=P"homenet"
++   key_mgmt=NONE
++ }
++ ''', new_config)
++@@ -360,7 +360,7 @@ network={
++         self.assert_wpa_supplicant("wl0", """ctrl_interface=/run/wpa_supplicant
++
++ network={
++-  ssid="homenet"
+++  ssid=P"homenet"
++   key_mgmt=SAE
++   ieee80211w=2
++   psk="********"
++@@ -387,7 +387,7 @@ network={
++         self.assert_wpa_supplicant("wl0", """ctrl_interface=/run/wpa_supplicant
++
++ network={
++-  ssid="homenet"
+++  ssid=P"homenet"
++   key_mgmt=WPA-EAP WPA-EAP-SHA256
++   eap=TLS
++   ieee80211w=1
++@@ -420,7 +420,7 @@ network={
++         self.assert_wpa_supplicant("wl0", """ctrl_interface=/run/wpa_supplicant
++
++ network={
++-  ssid="homenet"
+++  ssid=P"homenet"
++   key_mgmt=WPA-EAP-SUITE-B-192
++   eap=TLS
++   ieee80211w=2
++@@ -449,7 +449,7 @@ network={
++         self.assert_wpa_supplicant("wl0", """ctrl_interface=/run/wpa_supplicant
++
++ network={
++-  ssid="homenet"
+++  ssid=P"homenet"
++   key_mgmt=IEEE8021X
++   eap=LEAP
++   identity="some-id"
++@@ -473,7 +473,7 @@ network={
++         self.assert_wpa_supplicant("wl0", """ctrl_interface=/run/wpa_supplicant
++
++ network={
++-  ssid="homenet"
+++  ssid=P"homenet"
++   key_mgmt=IEEE8021X
++   eap=PWD
++   identity="some-id"
++@@ -498,7 +498,7 @@ network={
++         self.assert_wpa_supplicant("wl0", """ctrl_interface=/run/wpa_supplicant
++
++ network={
++-  ssid="homenet"
+++  ssid=P"homenet"
++   key_mgmt=WPA-EAP
++   eap=LEAP
++   ieee80211w=1
++@@ -508,6 +508,48 @@ network={
++ }
++ """)
++
+++    def test_escaping_special_characters(self):
+++        self.generate('''network:
+++  version: 2
+++  wifis:
+++    wl0:
+++      regulatory-domain: "abc\\n\\n321\\n\\"123"
+++      access-points:
+++        "abc\\n\\n123\\"x\\ry\\bz":
+++          password:  "abc\\n\\n\\n\\"123"
+++          auth:
+++            key-management: eap
+++            method: leap
+++            anonymous-identity: "abc\\n\\n321\\n\\"123"
+++            identity: "abc\\n\\n321\\n\\"123"
+++            password: "abc\\n\\n\\n\\"123"
+++            ca-certificate: "abc\\n\\n321\\n\\"123"
+++            client-certificate: "abc\\n\\n321\\n\\"123"
+++            client-key: "abc\\n\\n321\\n\\"123"
+++            client-key-password: "abc\\n\\n321\\n\\"123"
+++            phase2-auth: "abc\\n\\n321\\n\\"123"
+++            ''', skip_generated_yaml_validation=True)
+++
+++        self.assert_wpa_supplicant("wl0", """ctrl_interface=/run/wpa_supplicant
+++
+++country=abc\\n\\n321\\n\\"123
+++network={
+++  ssid=P"abc\\n\\n123\\\"x\\ry\\bz"
+++  key_mgmt=WPA-EAP
+++  eap=LEAP
+++  ieee80211w=1
+++  identity="abc\\n\\n321\\n\\\"123"
+++  anonymous_identity="abc\\n\\n321\\n\\\"123"
+++  psk="abc\\n\\n\\n\"123"
+++  password="abc\\n\\n\\n\"123"
+++  ca_cert="abc\\n\\n321\\n\\\"123"
+++  client_cert="abc\\n\\n321\\n\\\"123"
+++  private_key="abc\\n\\n321\\n\\\"123"
+++  private_key_passwd="abc\\n\\n321\\n\"123"
+++  phase2="auth=abc\\n\\n321\\n\\\"123"
+++}
+++""")
+++
++
++ class TestNetworkManager(TestBase):
++
++@@ -790,7 +832,7 @@ mode=adhoc
++         self.assert_wpa_supplicant("wl0", """ctrl_interface=/run/wpa_supplicant
++
++ network={
++-  ssid="homenet"
+++  ssid=P"homenet"
++   frequency=2442
++   mode=1
++   key_mgmt=WPA-PSK WPA-PSK-SHA256 SAE
++@@ -814,7 +856,7 @@ network={
++         self.assert_wpa_supplicant("wl0", """ctrl_interface=/run/wpa_supplicant
++
++ network={
++-  ssid="homenet"
+++  ssid=P"homenet"
++   frequency=5035
++   mode=1
++   key_mgmt=WPA-PSK WPA-PSK-SHA256 SAE
 diff --git a/debian/patches/lp2066258/0015-backends-escape-file-paths.patch b/debian/patches/lp2066258/0015-backends-escape-file-paths.patch
 new file mode 100644
 index 0000000..6898b75
 --- /dev/null
 +++ b/debian/patches/lp2066258/0015-backends-escape-file-paths.patch
@@ -0,0 +1,288 @@
++From: Danilo Egea Gondolfo <danilogondolfo@gmail.com>
++Date: Thu, 23 May 2024 15:54:43 +0100
++Subject: backends: escape file paths
++
++Escape strings used to build paths with g_uri_escape_string().
++systemd_escape() could also be used but it has the downside of calling
++an external program and, by default, it escapes dashes (which are
++present in files generated from Network Manager for example).
++---
++ src/networkd.c                 | 13 +++++----
++ src/nm.c                       |  5 ++--
++ src/openvswitch.c              | 19 ++++++------
++ src/util.c                     |  7 +++--
++ tests/generator/test_common.py | 66 ++++++++++++++++++++++++++++++++++++++++++
++ tests/generator/test_ovs.py    | 24 +++++++++++++++
++ 6 files changed, 115 insertions(+), 19 deletions(-)
++
++diff --git a/src/networkd.c b/src/networkd.c
++index ac54112..e66ab4c 100644
++--- a/src/networkd.c
+++++ b/src/networkd.c
++@@ -981,7 +981,8 @@ static void
++ write_rules_file(const NetplanNetDefinition* def, const char* rootdir)
++ {
++     GString* s = NULL;
++-    g_autofree char* path = g_strjoin(NULL, "run/udev/rules.d/99-netplan-", def->id, ".rules", NULL);
+++    g_autofree char* escaped_netdef_id = g_uri_escape_string(def->id, NULL, TRUE);
+++    g_autofree char* path = g_strjoin(NULL, "run/udev/rules.d/99-netplan-", escaped_netdef_id, ".rules", NULL);
++
++     /* do we need to write a .rules file?
++      * It's only required for reliably setting the name of a physical device
++@@ -1198,7 +1199,8 @@ write_wpa_conf(const NetplanNetDefinition* def, const char* rootdir, GError** er
++ {
++     GHashTableIter iter;
++     GString* s = g_string_new("ctrl_interface=/run/wpa_supplicant\n\n");
++-    g_autofree char* path = g_strjoin(NULL, "run/netplan/wpa-", def->id, ".conf", NULL);
+++    g_autofree char* escaped_netdef_id = g_uri_escape_string(def->id, NULL, TRUE);
+++    g_autofree char* path = g_strjoin(NULL, "run/netplan/wpa-", escaped_netdef_id, ".conf", NULL);
++
++     g_debug("%s: Creating wpa_supplicant configuration file %s", def->id, path);
++     if (def->type == NETPLAN_DEF_TYPE_WIFI) {
++@@ -1310,7 +1312,8 @@ netplan_netdef_write_networkd(
++         GError** error)
++ {
++     /* TODO: make use of netplan_netdef_get_output_filename() */
++-    g_autofree char* path_base = g_strjoin(NULL, "run/systemd/network/10-netplan-", def->id, NULL);
+++    g_autofree char* escaped_netdef_id = g_uri_escape_string(def->id, NULL, TRUE);
+++    g_autofree char* path_base = g_strjoin(NULL, "run/systemd/network/10-netplan-", escaped_netdef_id, NULL);
++     SET_OPT_OUT_PTR(has_been_written, FALSE);
++
++     /* We want this for all backends when renaming, as *.link and *.rules files are
++@@ -1332,8 +1335,8 @@ netplan_netdef_write_networkd(
++     }
++
++     if (def->type == NETPLAN_DEF_TYPE_WIFI || def->has_auth) {
++-        g_autofree char* link = g_strjoin(NULL, rootdir ?: "", "/run/systemd/system/systemd-networkd.service.wants/netplan-wpa-", def->id, ".service", NULL);
++-        g_autofree char* slink = g_strjoin(NULL, "/run/systemd/system/netplan-wpa-", def->id, ".service", NULL);
+++        g_autofree char* link = g_strjoin(NULL, rootdir ?: "", "/run/systemd/system/systemd-networkd.service.wants/netplan-wpa-", escaped_netdef_id, ".service", NULL);
+++        g_autofree char* slink = g_strjoin(NULL, "/run/systemd/system/netplan-wpa-", escaped_netdef_id, ".service", NULL);
++         if (def->type == NETPLAN_DEF_TYPE_WIFI && def->has_match) {
++             g_set_error(error, NETPLAN_BACKEND_ERROR, NETPLAN_ERROR_UNSUPPORTED, "ERROR: %s: networkd backend does not support wifi with match:, only by interface name\n", def->id);
++             return FALSE;
++diff --git a/src/nm.c b/src/nm.c
++index a605c38..380b7fd 100644
++--- a/src/nm.c
+++++ b/src/nm.c
++@@ -931,10 +931,11 @@ write_nm_conf_access_point(const NetplanNetDefinition* def, const char* rootdir,
++         g_datalist_foreach((GData**)&def->backend_settings.passthrough, write_fallback_key_value, kf);
++     }
++
+++    g_autofree char* escaped_netdef_id = g_uri_escape_string(def->id, NULL, TRUE);
++     if (ap) {
++         g_autofree char* escaped_ssid = g_uri_escape_string(ap->ssid, NULL, TRUE);
++         /* TODO: make use of netplan_netdef_get_output_filename() */
++-        conf_path = g_strjoin(NULL, "run/NetworkManager/system-connections/netplan-", def->id, "-", escaped_ssid, ".nmconnection", NULL);
+++        conf_path = g_strjoin(NULL, "run/NetworkManager/system-connections/netplan-", escaped_netdef_id, "-", escaped_ssid, ".nmconnection", NULL);
++
++         g_key_file_set_string(kf, "wifi", "ssid", ap->ssid);
++         if (ap->mode < NETPLAN_WIFI_MODE_OTHER)
++@@ -969,7 +970,7 @@ write_nm_conf_access_point(const NetplanNetDefinition* def, const char* rootdir,
++         }
++     } else {
++         /* TODO: make use of netplan_netdef_get_output_filename() */
++-        conf_path = g_strjoin(NULL, "run/NetworkManager/system-connections/netplan-", def->id, ".nmconnection", NULL);
+++        conf_path = g_strjoin(NULL, "run/NetworkManager/system-connections/netplan-", escaped_netdef_id, ".nmconnection", NULL);
++         if (def->has_auth) {
++             write_dot1x_auth_parameters(&def->auth, kf);
++         }
++diff --git a/src/openvswitch.c b/src/openvswitch.c
++index 276762e..b33769d 100644
++--- a/src/openvswitch.c
+++++ b/src/openvswitch.c
++@@ -32,9 +32,9 @@
++ static gboolean
++ write_ovs_systemd_unit(const char* id, const GString* cmds, const char* rootdir, gboolean physical, gboolean cleanup, const char* dependency, GError** error)
++ {
++-    g_autofree gchar* id_escaped = NULL;
++-    g_autofree char* link = g_strjoin(NULL, rootdir ?: "", "/run/systemd/system/systemd-networkd.service.wants/netplan-ovs-", id, ".service", NULL);
++-    g_autofree char* path = g_strjoin(NULL, "/run/systemd/system/netplan-ovs-", id, ".service", NULL);
+++    g_autofree char* escaped_netdef_id = g_uri_escape_string(id, NULL, TRUE);
+++    g_autofree char* link = g_strjoin(NULL, rootdir ?: "", "/run/systemd/system/systemd-networkd.service.wants/netplan-ovs-", escaped_netdef_id, ".service", NULL);
+++    g_autofree char* path = g_strjoin(NULL, "/run/systemd/system/netplan-ovs-", escaped_netdef_id, ".service", NULL);
++
++     GString* s = g_string_new("[Unit]\n");
++     g_string_append_printf(s, "Description=OpenVSwitch configuration for %s\n", id);
++@@ -43,9 +43,8 @@ write_ovs_systemd_unit(const char* id, const GString* cmds, const char* rootdir,
++     g_string_append_printf(s, "Wants=ovsdb-server.service\n");
++     g_string_append_printf(s, "After=ovsdb-server.service\n");
++     if (physical) {
++-        id_escaped = systemd_escape((char*) id);
++-        g_string_append_printf(s, "Requires=sys-subsystem-net-devices-%s.device\n", id_escaped);
++-        g_string_append_printf(s, "After=sys-subsystem-net-devices-%s.device\n", id_escaped);
+++        g_string_append_printf(s, "Requires=sys-subsystem-net-devices-%s.device\n", escaped_netdef_id);
+++        g_string_append_printf(s, "After=sys-subsystem-net-devices-%s.device\n", escaped_netdef_id);
++     }
++     if (!cleanup) {
++         g_string_append_printf(s, "After=netplan-ovs-cleanup.service\n");
++@@ -55,8 +54,9 @@ write_ovs_systemd_unit(const char* id, const GString* cmds, const char* rootdir,
++     }
++     g_string_append(s, "Before=network.target\nWants=network.target\n");
++     if (dependency) {
++-        g_string_append_printf(s, "Requires=netplan-ovs-%s.service\n", dependency);
++-        g_string_append_printf(s, "After=netplan-ovs-%s.service\n", dependency);
+++        g_autofree char* escaped_dependency = g_uri_escape_string(dependency, NULL, TRUE);
+++        g_string_append_printf(s, "Requires=netplan-ovs-%s.service\n", escaped_dependency);
+++        g_string_append_printf(s, "After=netplan-ovs-%s.service\n", escaped_dependency);
++     }
++
++     g_string_append(s, "\n[Service]\nType=oneshot\nTimeoutStartSec=10s\n");
++@@ -321,6 +321,7 @@ netplan_netdef_write_ovs(const NetplanState* np_state, const NetplanNetDefinitio
++     gchar* dependency = NULL;
++     const char* type = netplan_type_to_table_name(def->type);
++     g_autofree char* base_config_path = NULL;
+++    g_autofree char* escaped_netdef_id = g_uri_escape_string(def->id, NULL, TRUE);
++     char* value = NULL;
++     const NetplanOVSSettings* settings = &np_state->ovs_settings;
++
++@@ -411,7 +412,7 @@ netplan_netdef_write_ovs(const NetplanState* np_state, const NetplanNetDefinitio
++
++         /* Try writing out a base config */
++         /* TODO: make use of netplan_netdef_get_output_filename() */
++-        base_config_path = g_strjoin(NULL, "run/systemd/network/10-netplan-", def->id, NULL);
+++        base_config_path = g_strjoin(NULL, "run/systemd/network/10-netplan-", escaped_netdef_id, NULL);
++         if (!netplan_netdef_write_network_file(np_state, def, rootdir, base_config_path, has_been_written, error))
++             return FALSE;
++     } else {
++diff --git a/src/util.c b/src/util.c
++index d8d3a57..a3dae98 100644
++--- a/src/util.c
+++++ b/src/util.c
++@@ -691,17 +691,18 @@ ssize_t
++ netplan_netdef_get_output_filename(const NetplanNetDefinition* netdef, const char* ssid, char* out_buffer, size_t out_buf_size)
++ {
++     g_autofree gchar* conf_path = NULL;
+++    g_autofree char* escaped_netdef_id = g_uri_escape_string(netdef->id, NULL, TRUE);
++
++     if (netdef->backend == NETPLAN_BACKEND_NM) {
++         if (ssid) {
++             g_autofree char* escaped_ssid = g_uri_escape_string(ssid, NULL, TRUE);
++-            conf_path = g_strjoin(NULL, "/run/NetworkManager/system-connections/netplan-", netdef->id, "-", escaped_ssid, ".nmconnection", NULL);
+++            conf_path = g_strjoin(NULL, "/run/NetworkManager/system-connections/netplan-", escaped_netdef_id, "-", escaped_ssid, ".nmconnection", NULL);
++         } else {
++-            conf_path = g_strjoin(NULL, "/run/NetworkManager/system-connections/netplan-", netdef->id, ".nmconnection", NULL);
+++            conf_path = g_strjoin(NULL, "/run/NetworkManager/system-connections/netplan-", escaped_netdef_id, ".nmconnection", NULL);
++         }
++
++     } else if (netdef->backend == NETPLAN_BACKEND_NETWORKD || netdef->backend == NETPLAN_BACKEND_OVS) {
++-        conf_path = g_strjoin(NULL, "/run/systemd/network/10-netplan-", netdef->id, ".network", NULL);
+++        conf_path = g_strjoin(NULL, "/run/systemd/network/10-netplan-", escaped_netdef_id, ".network", NULL);
++     }
++
++     if (conf_path)
++diff --git a/tests/generator/test_common.py b/tests/generator/test_common.py
++index 3aab3f7..f145104 100644
++--- a/tests/generator/test_common.py
+++++ b/tests/generator/test_common.py
++@@ -827,6 +827,47 @@ UseMTU=true
++
++         self.assert_networkd_udev({'def1.rules': (UDEV_NO_MAC_RULE % ('abc\\"xyz\\n0\\n\\n1', 'eth\\"\\n\\nxyz\\n0'))})
++
+++    def test_nd_file_paths_escaped(self):
+++        self.generate('''network:
+++  version: 2
+++  ethernets:
+++    "abc/../../xyz0":
+++      match:
+++        driver: "drv"
+++      set-name: "eth123"''')
+++
+++        self.assert_networkd_udev({'abc%2F..%2F..%2Fxyz0.rules': (UDEV_NO_MAC_RULE % ('drv', 'eth123'))})
+++        self.assert_networkd({'abc%2F..%2F..%2Fxyz0.network': '''[Match]\nDriver=drv
+++Name=eth123
+++
+++[Network]
+++LinkLocalAddressing=ipv6
+++''',
+++                              'abc%2F..%2F..%2Fxyz0.link': '''[Match]\nDriver=drv\n
+++[Link]
+++Name=eth123
+++WakeOnLan=off
+++'''})
+++
+++        self.generate('''network:
+++  version: 2
+++  wifis:
+++    "abc/../../xyz0":
+++      dhcp4: true
+++      access-points:
+++        "mywifi":
+++          password: "aaaaaaaa"''')
+++
+++        self.assert_wpa_supplicant("abc%2F..%2F..%2Fxyz0", """ctrl_interface=/run/wpa_supplicant
+++
+++network={
+++  ssid=P"mywifi"
+++  key_mgmt=WPA-PSK WPA-PSK-SHA256 SAE
+++  ieee80211w=1
+++  psk="aaaaaaaa"
+++}
+++""")
+++
++
++ class TestNetworkManager(TestBase):
++
++@@ -1354,6 +1395,31 @@ method=ignore
++       dhcp4: true''', skip_generated_yaml_validation=True)
++         self.assert_nm_udev(NM_UNMANAGED % 'eth\\n0' + NM_UNMANAGED % 'eth0')
++
+++    def test_nm_file_paths_escaped(self):
+++        self.generate('''network:
+++  version: 2
+++  renderer: NetworkManager
+++  ethernets:
+++    "abc/../../xyz0":
+++      match:
+++        driver: "drv"
+++      set-name: "eth123"''')
+++
+++        self.assert_nm({'abc%2F..%2F..%2Fxyz0': '''[connection]
+++id=netplan-abc/../../xyz0
+++type=ethernet
+++interface-name=eth123
+++
+++[ethernet]
+++wake-on-lan=0
+++
+++[ipv4]
+++method=link-local
+++
+++[ipv6]
+++method=ignore
+++'''})
+++
++
++ class TestForwardDeclaration(TestBase):
++
++diff --git a/tests/generator/test_ovs.py b/tests/generator/test_ovs.py
++index 1dad3cb..e60d497 100644
++--- a/tests/generator/test_ovs.py
+++++ b/tests/generator/test_ovs.py
++@@ -1104,3 +1104,27 @@ ExecStart=/usr/bin/ovs-vsctl set Bridge br123 external-ids:netplan/global/set-co
++         - [portname, portname]
++ ''', expect_fail=True)
++         self.assertIn('Open vSwitch patch ports must be of different name', err)
+++
+++    def test_file_paths_escaped(self):
+++        self.generate('''network:
+++  version: 2
+++  bridges:
+++    "abc/../../123":
+++      openvswitch: {}
+++  vlans:
+++    "abc/../../123.100":
+++      id: 100
+++      link: "abc/../../123"
+++''')
+++        self.assert_ovs({'abc%2F..%2F..%2F123.service': OVS_BR_EMPTY % {'iface': 'abc/../../123'},
+++                         'abc%2F..%2F..%2F123.100.service': OVS_VIRTUAL % {'iface': 'abc/../../123.100', 'extra':
+++                                                                           '''Requires=netplan-ovs-abc%2F..%2F..%2F123.service
+++After=netplan-ovs-abc%2F..%2F..%2F123.service
+++
+++[Service]
+++Type=oneshot
+++TimeoutStartSec=10s
+++ExecStart=/usr/bin/ovs-vsctl --may-exist add-br abc/../../123.100 abc/../../123 100
+++ExecStart=/usr/bin/ovs-vsctl set Interface abc/../../123.100 external-ids:netplan=true
+++'''},
+++                         'cleanup.service': OVS_CLEANUP % {'iface': 'cleanup'}})
 diff --git a/debian/patches/lp2066258/0016-backends-escape-semicolons-in-service-units.patch b/debian/patches/lp2066258/0016-backends-escape-semicolons-in-service-units.patch
 new file mode 100644
 index 0000000..ef7e7af
 --- /dev/null
 +++ b/debian/patches/lp2066258/0016-backends-escape-semicolons-in-service-units.patch
@@ -0,0 +1,292 @@
++From: Danilo Egea Gondolfo <danilogondolfo@gmail.com>
++Date: Fri, 24 May 2024 14:11:12 +0100
++Subject: backends: escape semicolons in service units
++
++Semicolons separated from other words by a combination of spaces and/or
++tabs will be escaped.
++---
++ src/networkd.c                   |  7 +++++
++ src/openvswitch.c                |  3 +++
++ src/sriov.c                      |  3 +++
++ src/util-internal.h              |  3 +++
++ src/util.c                       | 34 +++++++++++++++++++++++
++ tests/ctests/test_netplan_misc.c | 45 +++++++++++++++++++++++++++++++
++ tests/generator/test_ovs.py      | 58 ++++++++++++++++++++++++++++++++++++++++
++ tests/test_sriov.py              | 29 ++++++++++++++++++++
++ 8 files changed, 182 insertions(+)
++
++diff --git a/src/networkd.c b/src/networkd.c
++index e66ab4c..f9fefe9 100644
++--- a/src/networkd.c
+++++ b/src/networkd.c
++@@ -301,6 +301,9 @@ write_regdom(const NetplanNetDefinition* def, const char* rootdir, GError** erro
++     g_string_append(s, "\n[Service]\nType=oneshot\n");
++     g_string_append_printf(s, "ExecStart="SBINDIR"/iw reg set %s\n", def->regulatory_domain);
++
+++    g_autofree char* new_s = _netplan_scrub_systemd_unit_contents(s->str);
+++    g_string_free(s, TRUE);
+++    s = g_string_new(new_s);
++     _netplan_g_string_free_to_file_with_permissions(s, rootdir, path, NULL, "root", "root", 0640);
++     safe_mkdir_p_dir(link);
++     if (symlink(path, link) < 0 && errno != EEXIST) {
++@@ -1191,6 +1194,10 @@ write_wpa_unit(const NetplanNetDefinition* def, const char* rootdir)
++     } else {
++         g_string_append(s, " -Dnl80211,wext\n");
++     }
+++
+++    g_autofree char* new_s = _netplan_scrub_systemd_unit_contents(s->str);
+++    g_string_free(s, TRUE);
+++    s = g_string_new(new_s);
++     _netplan_g_string_free_to_file_with_permissions(s, rootdir, path, NULL, "root", "root", 0640);
++ }
++
++diff --git a/src/openvswitch.c b/src/openvswitch.c
++index b33769d..7d31e7f 100644
++--- a/src/openvswitch.c
+++++ b/src/openvswitch.c
++@@ -62,6 +62,9 @@ write_ovs_systemd_unit(const char* id, const GString* cmds, const char* rootdir,
++     g_string_append(s, "\n[Service]\nType=oneshot\nTimeoutStartSec=10s\n");
++     g_string_append(s, cmds->str);
++
+++    g_autofree char* new_s = _netplan_scrub_systemd_unit_contents(s->str);
+++    g_string_free(s, TRUE);
+++    s = g_string_new(new_s);
++     _netplan_g_string_free_to_file_with_permissions(s, rootdir, path, NULL, "root", "root", 0640);
++
++     safe_mkdir_p_dir(link);
++diff --git a/src/sriov.c b/src/sriov.c
++index c3cd80d..710f1a8 100644
++--- a/src/sriov.c
+++++ b/src/sriov.c
++@@ -53,6 +53,9 @@ write_sriov_rebind_systemd_unit(GHashTable* pfs, const char* rootdir, GError** e
++     g_string_truncate(interfaces, interfaces->len-1); /* cut trailing whitespace */
++     g_string_append_printf(s, "ExecStart=" SBINDIR "/netplan rebind %s\n", interfaces->str);
++
+++    g_autofree char* new_s = _netplan_scrub_systemd_unit_contents(s->str);
+++    g_string_free(s, TRUE);
+++    s = g_string_new(new_s);
++     _netplan_g_string_free_to_file_with_permissions(s, rootdir, path, NULL, "root", "root", 0640);
++     g_string_free(interfaces, TRUE);
++
++diff --git a/src/util-internal.h b/src/util-internal.h
++index f6f36fc..e9c2d13 100644
++--- a/src/util-internal.h
+++++ b/src/util-internal.h
++@@ -185,3 +185,6 @@ _netplan_netdef_pertype_iter_free(struct netdef_pertype_iter* it);
++
++ gchar*
++ _netplan_scrub_string(const char* content);
+++
+++gchar*
+++_netplan_scrub_systemd_unit_contents(const char* content);
++diff --git a/src/util.c b/src/util.c
++index a3dae98..30d05cb 100644
++--- a/src/util.c
+++++ b/src/util.c
++@@ -1235,3 +1235,37 @@ _netplan_scrub_string(const char* content)
++
++     return g_string_free(s, FALSE);
++ }
+++
+++static gboolean
+++_is_space_or_tab(char c)
+++{
+++    return c == ' ' || c == '\t';
+++}
+++
+++char*
+++_netplan_scrub_systemd_unit_contents(const char* content)
+++{
+++    size_t content_len = strlen(content);
+++    // Assume a few replacements will happen to reduce reallocation
+++    GString* s = g_string_sized_new(content_len + 8);
+++
+++    // Append the first character of "content" to the result string
+++    g_string_append_len(s, content, 1);
+++
+++    // Walk from the second element to the one before the last looking for isolated semicolons
+++    // A semicolon is isolated if it's surrounded by either tabs or spaces
+++    const char* p = content + 1;
+++    while (p < (content + content_len - 1)) {
+++        if (*p == ';' && _is_space_or_tab(*(p - 1)) && _is_space_or_tab(*(p + 1))) {
+++            g_string_append_len(s, "\\;", 2);
+++        } else {
+++            g_string_append_len(s, p, 1);
+++        }
+++        p++;
+++    }
+++
+++    // Append the last character of "content" to the result string
+++    g_string_append_len(s, p, 1);
+++
+++    return g_string_free(s, FALSE);
+++}
++diff --git a/tests/ctests/test_netplan_misc.c b/tests/ctests/test_netplan_misc.c
++index 35bf4f8..aa14a71 100644
++--- a/tests/ctests/test_netplan_misc.c
+++++ b/tests/ctests/test_netplan_misc.c
++@@ -348,6 +348,50 @@ test_normalize_ip_address(__unused void** state)
++     assert_string_equal(normalize_ip_address("0.0.0.0/0", AF_INET), "0.0.0.0/0");
++ }
++
+++void
+++test_scrub_systemd_unit_content(__unused void** state)
+++{
+++    char* str = ";abc;";
+++    char* res = _netplan_scrub_systemd_unit_contents(str);
+++    assert_string_equal(res, ";abc;");
+++    g_free(res);
+++
+++    str = ";;;;";
+++    res = _netplan_scrub_systemd_unit_contents(str);
+++    assert_string_equal(res, ";;;;");
+++    g_free(res);
+++
+++    str = " ;;;; ";
+++    res = _netplan_scrub_systemd_unit_contents(str);
+++    assert_string_equal(res, " ;;;; ");
+++    g_free(res);
+++
+++    str = "; ; ; ; ;";
+++    res = _netplan_scrub_systemd_unit_contents(str);
+++    assert_string_equal(res, "; \\; \\; \\; ;");
+++    g_free(res);
+++
+++    str = " ; ; ; ; ; ";
+++    res = _netplan_scrub_systemd_unit_contents(str);
+++    assert_string_equal(res, " \\; \\; \\; \\; \\; ");
+++    g_free(res);
+++
+++    str = "a ; ; ; ; ; b";
+++    res = _netplan_scrub_systemd_unit_contents(str);
+++    assert_string_equal(res, "a \\; \\; \\; \\; \\; b");
+++    g_free(res);
+++
+++    str = "\t;\t; ;\t; \t ;\t ";
+++    res = _netplan_scrub_systemd_unit_contents(str);
+++    assert_string_equal(res, "\t\\;\t\\; \\;\t\\; \t \\;\t ");
+++    g_free(res);
+++
+++    str = "\t;\t;\t;\t;\t;\t";
+++    res = _netplan_scrub_systemd_unit_contents(str);
+++    assert_string_equal(res, "\t\\;\t\\;\t\\;\t\\;\t\\;\t");
+++    g_free(res);
+++}
+++
++ int
++ setup(__unused void** state)
++ {
++@@ -380,6 +424,7 @@ main()
++            cmocka_unit_test(test_util_is_route_rule_present),
++            cmocka_unit_test(test_util_is_string_in_array),
++            cmocka_unit_test(test_normalize_ip_address),
+++           cmocka_unit_test(test_scrub_systemd_unit_content),
++        };
++
++        return cmocka_run_group_tests(tests, setup, tear_down);
++diff --git a/tests/generator/test_ovs.py b/tests/generator/test_ovs.py
++index e60d497..c40fa47 100644
++--- a/tests/generator/test_ovs.py
+++++ b/tests/generator/test_ovs.py
++@@ -1128,3 +1128,61 @@ ExecStart=/usr/bin/ovs-vsctl --may-exist add-br abc/../../123.100 abc/../../123
++ ExecStart=/usr/bin/ovs-vsctl set Interface abc/../../123.100 external-ids:netplan=true
++ '''},
++                          'cleanup.service': OVS_CLEANUP % {'iface': 'cleanup'}})
+++
+++    def test_control_characters_and_semicolons_escaping(self):
+++        self.generate('''network:
+++  version: 2
+++  bridges: # bridges first, to trigger multi-pass processing
+++    ovs0:
+++      interfaces: [eth0, eth1]
+++      openvswitch: {}
+++  ethernets:
+++    eth0:
+++      openvswitch:
+++        external-ids:
+++          "a\\n1\\ra": " ; a ; 1 ;a; ;b\\t;\\t3 ;\\ta\\t; 1"
+++        other-config:
+++          "a\\n1\\ra": " ; a ; 1 ;a; ;b\\t;\\t3 ;\\ta\\t; 1"
+++      dhcp6: true
+++    eth1:
+++      dhcp4: true
+++      openvswitch:
+++        other-config:
+++          disable-in-band: false\n''', skip_generated_yaml_validation=True)
+++        self.assert_ovs({'ovs0.service': OVS_VIRTUAL % {'iface': 'ovs0', 'extra': '''
+++[Service]
+++Type=oneshot
+++TimeoutStartSec=10s
+++ExecStart=/usr/bin/ovs-vsctl --may-exist add-br ovs0
+++ExecStart=/usr/bin/ovs-vsctl --may-exist add-port ovs0 eth1
+++ExecStart=/usr/bin/ovs-vsctl --may-exist add-port ovs0 eth0
+++''' + OVS_BR_DEFAULT % {'iface': 'ovs0'}},
+++                         'eth0.service': OVS_PHYSICAL % {'iface': 'eth0', 'extra': '''\
+++Requires=netplan-ovs-ovs0.service
+++After=netplan-ovs-ovs0.service
+++
+++[Service]
+++Type=oneshot
+++TimeoutStartSec=10s
+++ExecStart=/usr/bin/ovs-vsctl set Interface eth0 external-ids:a\\n1\\ra= \\; a \\; 1 ;a; ;b\\t;\\t3 ;\\ta\\t; 1
+++ExecStart=/usr/bin/ovs-vsctl set Interface eth0 external-ids:netplan/external-ids/a\\n1\\ra=,;,a,;,1,;a;,;b\\t;\\t3,;\\ta\\t;,1
+++ExecStart=/usr/bin/ovs-vsctl set Interface eth0 other-config:a\\n1\\ra= \\; a \\; 1 ;a; ;b\\t;\\t3 ;\\ta\\t; 1
+++ExecStart=/usr/bin/ovs-vsctl set Interface eth0 external-ids:netplan/other-config/a\\n1\\ra=,;,a,;,1,;a;,;b\\t;\\t3,;\\ta\\t;,1
+++'''},
+++                         'eth1.service': OVS_PHYSICAL % {'iface': 'eth1', 'extra': '''\
+++Requires=netplan-ovs-ovs0.service
+++After=netplan-ovs-ovs0.service
+++
+++[Service]
+++Type=oneshot
+++TimeoutStartSec=10s
+++ExecStart=/usr/bin/ovs-vsctl set Interface eth1 other-config:disable-in-band=false
+++ExecStart=/usr/bin/ovs-vsctl set Interface eth1 external-ids:netplan/other-config/disable-in-band=false
+++'''},
+++                         'cleanup.service': OVS_CLEANUP % {'iface': 'cleanup'}})
+++        # Confirm that the networkd config is still sane
+++        self.assert_networkd({'ovs0.network': ND_EMPTY % ('ovs0', 'ipv6'),
+++                              'eth0.network': (ND_DHCP6 % 'eth0')
+++                              .replace('LinkLocalAddressing=ipv6', 'LinkLocalAddressing=no\nBridge=ovs0'),
+++                              'eth1.network': (ND_DHCP4 % 'eth1')
+++                              .replace('LinkLocalAddressing=ipv6', 'LinkLocalAddressing=no\nBridge=ovs0')})
++diff --git a/tests/test_sriov.py b/tests/test_sriov.py
++index 3c06e43..054500c 100644
++--- a/tests/test_sriov.py
+++++ b/tests/test_sriov.py
++@@ -913,6 +913,35 @@ After=sys-subsystem-net-devices-engreen.device
++ [Service]
++ Type=oneshot
++ ExecStart=/usr/sbin/netplan rebind enblue engreen
+++'''})
+++
+++    def test_escaping_semicolons_from_unit_file(self):
+++        ''' Check if semicolons and line breaks are properly escaped in the generated
+++        systemd service unit.
+++        '''
+++        self.generate('''network:
+++  version: 2
+++  ethernets:
+++    engreen:
+++      embedded-switch-mode: switchdev
+++      delay-virtual-functions-rebind: true
+++    enblue:
+++      match: {driver: dummy_driver}
+++      set-name: ";en ; a\\t;\\tb ;\\tc\\t; d; \\n;\\nabc"
+++      embedded-switch-mode: legacy
+++      delay-virtual-functions-rebind: true
+++      virtual-function-count: 4
+++    sriov_vf0:
+++      link: engreen''', skip_generated_yaml_validation=True)
+++        self.assert_sriov({'rebind.service': '''[Unit]
+++Description=(Re-)bind SR-IOV Virtual Functions to their driver
+++After=network.target
+++After=sys-subsystem-net-devices-;en \\; a\\t;\\tb ;\\tc\\t; d; \\n;\\nabc.device
+++After=sys-subsystem-net-devices-engreen.device
+++
+++[Service]
+++Type=oneshot
+++ExecStart=/usr/sbin/netplan rebind ;en \\; a\\t;\\tb ;\\tc\\t; d; \\n;\\nabc engreen
++ '''})
++
++     def test_rebind_not_delayed(self):
 diff --git a/debian/patches/series b/debian/patches/series
 index 8021670..f09ed4e 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -4,3 +4,8 @@ lp2041727/0005-Update-ovs.py-to-check-if-ovsdb-server.service-is-in.patch
 -tests-assert-generated-.service-files-in-assert_srio.patch
 -tests-sriov-test-if-the-generated-netplan-rebind-ser.patch
 -sriov-don-t-generate-duplicate-entries-in-the-rebind.patch
++lp2065738/0012-cli-generate-call-daemon-reload-after-generate.patch
++lp2065738/0013-libnetplan-use-more-restrictive-file-permissions.patch
++lp2066258/0014-libnetplan-escape-control-characters.patch
++lp2066258/0015-backends-escape-file-paths.patch
++lp2066258/0016-backends-escape-semicolons-in-service-units.patch

Netplan

Merge ~danilogondolfo/netplan/+git/ubuntu:mantic_0_107_1_sru_with_security_fixes into ~ubuntu-core-dev/netplan/+git/ubuntu:ubuntu-mantic

Commit message

Description of the change

Preview Diff

Subscribers