Hi all, can someone from the D-E developers please test the attached patch for GOsa²?I will not be able (and willing) to do that within the next couple of days because last Sunday my son was born, so there is not so much FOSS stuff going on here right now...
Thanks for testing and please report back here and to Debain BTS #665950 if the patch works.
Thanks, Mike ----- Weitergeleitete Nachricht von hickert@gonicus.de ----- Datum: Wed, 02 May 2012 08:21:36 +0200 Von: Fabian Hickert <hickert@gonicus.de>Betreff: Re: Bug#665950: Research/Questions on GOsa² issue: ,,unescaped arguments used on a command line''
An: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Cc: 665950@bugs.debian.org Hi Mike, I've checked the hook execution on a normal 2.6.11, while your edu server is still downloading ;) You've already guessed it, escaping of the dn and the password is definitely required here (functions.inc: ~3066). And I think it is required in your edu server too. A patch for 2.6.11 is attached, but I'm not sure if it applies to your edu version. But I would appreciate it, if you give it a try and let me know, so I can skip installing your whole server. HTH Fabian Am Freitag, den 27.04.2012, 20:32 +0200 schrieb Mike Gabriel:
Hi Fabian, On Fr 27 Apr 2012 18:26:25 CEST Fabian Hickert wrote: > I didn't found time to address this bug today. But I'm back in my office > on wednesday, sorry. Ok, thanks for this info! > What version of GOsa do you use, 2.6.12? 2.6.11-3+squeeze1 as in Debian squeeze-proposed-updates. > There is still escaping for the password hook parameters in > html/password.php or do you mean another place where a hook is executed? Easiest would be to install a Debian Edu main server. It will setup GOsa out-of-the-box with the setup we refer to. http://ftp.skolelinux.org/skolelinux-cd/debian-edu-6.0.4+r0-DVD.iso The configuration gosa.conf in that Debian Edu version is this: http://anonscm.debian.org/viewvc/debian-edu/trunk/src/debian-edu-config/etc/gosa/gosa.conf?r1=77207&view=log ... and the hooks scripts are here: http://anonscm.debian.org/viewvc/debian-edu/trunk/src/debian-edu-config/share/debian-edu-config/tools/ The version Debian package gosa 2.6.11-3+squeeze1 comes with several patches: https://oss.gonicus.de/repositories/gosa/branches/squeeze/patches/ > Can you explain where exactly the problem occurs, this would help a lot? My information is (I currently have no D-E main server around to test this...): * install a D-E main server (main server + workstation) * during D-I setup user name and password for initial user * login after reboot with initial user * start iceweasel, visit GOsa (http://www.intern/gosa * set a password containing a space via GOsa in Debian Edu for initial (or any other user) * using the password fails... Any more info can be provided if needed. You can also contact me via Jabber, contact me privately for the Jabber ID. Greets, Mike
-- Besuchen Sie uns auf dem LinuxTag in Berlin vom 23.-26.05.2012. Halle 7.2a, Stand 133 Fabian Hickert <fabian.hickert@GONICUS.de> (System Engineer) * GONICUS GmbH * Moehnestrasse 11-17 * D-59755 Arnsberg * Tel.: +49 (0) 29 32 / 9 16 - 0 * Fax: +49 (0) 29 32 / 9 16 - 242 * http://www.GONICUS.de * http://twitter.com/gonicus *Sitz der Gesellschaft: Moehnestrasse 11-17 * D-59755 Arnsberg *Geschaeftsfuehrer: Rainer Luelsdorf, Alfred Schroeder *Vorsitzender des Beirats: Juergen Michels *Amtsgericht Arnsberg * HRB 1968 ----- Ende der weitergeleiteten Nachricht ----- -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
Index: functions.inc =================================================================== --- functions.inc (revision 21128) +++ functions.inc (working copy) @@ -3059,8 +3059,8 @@ if ($command != ""){ /* Walk through attribute list */ - $command= preg_replace("/%userPassword/", $password, $command); - $command= preg_replace("/%dn/", $dn, $command); + $command= preg_replace("/%userPassword/", escapeshellarg($password), $command); + $command= preg_replace("/%dn/", escapeshellarg($dn), $command); if (check_command($command)){ @DEBUG (DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $command, "Execute");
Attachment:
pgp_YYhNLtxCi.pgp
Description: Digitale PGP-Unterschrift