Bug#665696: gosa-sync breaks on passwords containing spaces
Petter Reinholdtsen a écrit, le 26/03/2012 11:05:
The fix for gosa.conf is not upgradable, so we need to come up with a
better idea.
When upgrading squeeze-test to the new version of debian-edu-config
with the new gosa.conf file, a conffile question is asked and both
options (keeping the old or upgrading to the new file) are wrong.
The old file have the password quoting issue and the correct LDAP
password, the new file have a fix for the password quoting issue but
lack the correct LDAP password.
Personnally here I didn't take the time to upgrade GOsa, fearing other
issues. But I did fix /usr/share/gosa/include/functions.inc with
escapeshellarg($password), and then modified gosa-sync that needs
specific escaping for kadmin :
--- /usr/share/debian-edu-config/tools/gosa-sync.orig 2012-03-25
09:28:32.000000000 +0200
+++ /usr/share/debian-edu-config/tools/gosa-sync 2012-03-26
15:34:13.000000000 +0200
@@ -28,9 +28,10 @@
$USERPASSWORD
EOF
IAM=`ldapwhoami -x -Z -y $TMPFILE -D $USERDN 2>/dev/null || true`
+EUSERPASSWORD=`cat $TMPFILE | sed -e 's/"/""/g'` # escapes " because
kadmin need to use double quotes
if [ "$IAM" = "dn:$USERDN" ] ; then
cat > $TMPFILE <<EOF
-change_password -pw $USERPASSWORD $USERID
+change_password -pw "$EUSERPASSWORD" $USERID
EOF
cat $TMPFILE | kadmin.local 2>&1 | logger -t gosa-sync -p notice
logger -t gosa-sync -p notice Kerberos password for \'$USERID\'
changed.
And I verified it to handle spaces, double and single quotes, and
backslashes.
It only breaks on double backslashes, but that's at the PHP level
replacing \\ with \, and does not lead to vulnerability AFAICT - it just
means that password wont work.
Is that good with you ?
--
Samuel Krempp
Reply to: