Re: Research/Questions on GOsa² issue: ,,unescaped arguments used on a command line''

To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Cc: debian edu <debian-edu@lists.debian.org>, 665950@bugs.debian.org
Subject: Re: Research/Questions on GOsa² issue: ,,unescaped arguments used on a command line''
From: Steven Chamberlain <steven@pyro.eu.org>
Date: Thu, 26 Apr 2012 14:25:54 +0100
Message-id: <[🔎] 4F994CE2.4070302@pyro.eu.org>
In-reply-to: <[🔎] 20120426015616.82296htorau362w0@mail.das-netzwerkteam.de>
References: <[🔎] 20120426015616.82296htorau362w0@mail.das-netzwerkteam.de>

On 26/04/12 00:56, Mike Gabriel wrote:
> ... the shellarg escaping has been completely
> removed from the hook handling again.

> For 2.6.12 I find this page:
> https://oss.gonicus.de/labs/gosa/browser/trunk/gosa-core/html/password.php?rev=20607

I don't know what is the purpose of that code, or why it is okay not to
escape passwords there...

But the (very similar) code relevant to the Debian Edu issue is in a
different file:

https://oss.gonicus.de/labs/gosa/changeset/19466/trunk/gosa-core/include/functions.inc

The latest version in SVN still escapes the password there, as I think
it should do.  The change was introduced in the 2.6.12 release.  I think
maybe Squeeze should cherry-pick that commit for s-p-u but I haven't
been able to set up a test installation to try this yet.

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

Reply to:

References:
- Research/Questions on GOsa² issue: ,,unescaped arguments used on a command line''
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Prev by Date: SV: Change base domain in ldap
Next by Date: Re: slbackup with smarty3 (addressing #646537)
Previous by thread: Research/Questions on GOsa² issue: ,,unescaped arguments used on a command line''
Next by thread: Re: Research/Questions on GOsa² issue: ,,unescaped arguments used on a command line''
Index(es):
- Date
- Thread