Bug#665696: gosa-sync breaks on passwords containing spaces
Petter Reinholdtsen a écrit, le 25/03/2012 10:45:
tags 665696 + pending
following patch just adds the quoting, and was verified to fix the
Thank you. I have commited the fix to svn.
the issue remains for other special characters, at least quotes. But the
only way to really solve the issue is in GOsa functions.inc :
$command= preg_replace("/%userPassword/", $password, $command);
$password should be properly escaped here otherwise there is no way to
write a safe command-line using %userPassword.
The proper solution seems to be
once the script parameters are properly escaped in php, there should be
no need for quoting in gosa.conf, and this patch might have to be reversed.
I see GOsa devs noticed the security issue 19 months ago :
"Additionally the script parameter are not escaped right now, somebody
could do nasty thing with it. I will have a look at this too. "
How serious is knowingly leaving such a vulnerability, with easy fix,
open for 19 months ?