Fwd: Re: Bug#665950: Research/Questions on GOsa² issue: ,,unescaped arguments used on a command line''

To: debian-edu@lists.debian.org
Subject: Fwd: Re: Bug#665950: Research/Questions on GOsa² issue: ,,unescaped arguments used on a command line''
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Wed, 02 May 2012 10:53:10 +0200
Message-id: <20120502105310.1197236jerqzdud2@mail.das-netzwerkteam.de>

Hi all,

can someone from the D-E developers please test the attached patch for GOsa²?

I will not be able (and willing) to do that within the next couple ofdays because last Sunday my son was born, so there is not so much FOSSstuff going on here right now...

Thanks for testing and please report back here and to Debain BTS#665950 if the patch works.


Thanks,
Mike

----- Weitergeleitete Nachricht von hickert@gonicus.de -----
     Datum: Wed, 02 May 2012 08:21:36 +0200
       Von: Fabian Hickert <hickert@gonicus.de>

Betreff: Re: Bug#665950: Research/Questions on GOsa² issue:,,unescaped arguments used on a command line''

        An: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
        Cc: 665950@bugs.debian.org

Hi Mike,

I've checked the hook execution on a normal 2.6.11,  while your edu
server is still downloading ;)

You've already guessed it, escaping of the dn and the password is
definitely required here (functions.inc: ~3066).
And I think it is required in your edu server too.

A patch for 2.6.11 is attached, but I'm not sure if it applies to your
edu version.
But I would appreciate it, if you give it a try and let me know, so I
can skip installing your whole server.

HTH
Fabian




Am Freitag, den 27.04.2012, 20:32 +0200 schrieb Mike Gabriel:

Hi Fabian,

On Fr 27 Apr 2012 18:26:25 CEST Fabian Hickert wrote:

> I didn't found time to address this bug today. But I'm back in my office
> on wednesday, sorry.

Ok, thanks for this info!

> What version of GOsa do you use, 2.6.12?

2.6.11-3+squeeze1 as in Debian squeeze-proposed-updates.

> There is still escaping for the password hook parameters in
> html/password.php or do you mean another place where a hook is executed?

Easiest would be to install a Debian Edu main server. It will setup
GOsa out-of-the-box with the setup we refer to.
http://ftp.skolelinux.org/skolelinux-cd/debian-edu-6.0.4+r0-DVD.iso

The configuration gosa.conf in that Debian Edu version is this:
http://anonscm.debian.org/viewvc/debian-edu/trunk/src/debian-edu-config/etc/gosa/gosa.conf?r1=77207&view=log

... and the hooks scripts are here:
http://anonscm.debian.org/viewvc/debian-edu/trunk/src/debian-edu-config/share/debian-edu-config/tools/

The version Debian package gosa 2.6.11-3+squeeze1 comes with several patches:
https://oss.gonicus.de/repositories/gosa/branches/squeeze/patches/

> Can you explain where exactly the problem occurs, this would help a lot?

My information is (I currently have no D-E main server around to test
this...):

   * install a D-E main server (main server + workstation)
   * during D-I setup user name and password for initial user
   * login after reboot with initial user
   * start iceweasel, visit GOsa (http://www.intern/gosa
   * set a password containing a space via GOsa in Debian Edu for initial (or
     any other user)
   * using the password fails...

Any more info can be provided if needed. You can also contact me via
Jabber, contact me privately for the Jabber ID.

Greets,
Mike


--
Besuchen Sie uns auf dem LinuxTag in Berlin vom 23.-26.05.2012.
Halle 7.2a, Stand 133

Fabian Hickert <fabian.hickert@GONICUS.de> (System Engineer)
* GONICUS GmbH * Moehnestrasse 11-17 * D-59755 Arnsberg
* Tel.: +49 (0) 29 32 / 9 16 - 0 * Fax: +49 (0) 29 32 / 9 16 - 242
* http://www.GONICUS.de * http://twitter.com/gonicus

*Sitz der Gesellschaft: Moehnestrasse 11-17 * D-59755 Arnsberg
*Geschaeftsfuehrer: Rainer Luelsdorf, Alfred Schroeder
*Vorsitzender des Beirats: Juergen Michels
*Amtsgericht Arnsberg * HRB 1968


----- Ende der weitergeleiteten Nachricht -----


--

DAS-NETZWERKTEAM
mike gabriel, dorfstr. 27, 24245 barmissen
fon: +49 (4302) 281418, fax: +49 (4302) 281419

GnuPG Key ID 0xB588399B
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

Index: functions.inc
===================================================================
--- functions.inc	(revision 21128)
+++ functions.inc	(working copy)
@@ -3059,8 +3059,8 @@
 
       if ($command != ""){
         /* Walk through attribute list */
-        $command= preg_replace("/%userPassword/", $password, $command);
-        $command= preg_replace("/%dn/", $dn, $command);
+        $command= preg_replace("/%userPassword/", escapeshellarg($password), $command);
+        $command= preg_replace("/%dn/", escapeshellarg($dn), $command);
 
         if (check_command($command)){
           @DEBUG (DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $command, "Execute");

Attachment: pgp_YYhNLtxCi.pgp
Description: Digitale PGP-Unterschrift

Reply to:

Follow-Ups:
- Re: Fwd: Re: Bug#665950: Research/Questions on GOsa² issue: ,,unescaped arguments used on a command line''
  - From: Jürgen Leibner <2010jl@gmx.de>

Next by Date: Re: Fwd: Re: Bug#665950: Research/Questions on GOsa² issue: ,,unescaped arguments used on a command line''
Next by thread: Re: Fwd: Re: Bug#665950: Research/Questions on GOsa² issue: ,,unescaped arguments used on a command line''
Index(es):
- Date
- Thread