Petter Reinholdtsen a écrit, le 25/03/2012 10:45:
tags 665696 + pending thanks [Samuel Krempp]following patch just adds the quoting, and was verified to fix the issue.Thank you. I have commited the fix to svn.
the issue remains for other special characters, at least quotes. But the only way to really solve the issue is in GOsa functions.inc :
$command= preg_replace("/%userPassword/", $password, $command);
$password should be properly escaped here otherwise there is no way to
write a safe command-line using %userPassword.
The proper solution seems to be http://php.net/manual/en/function.escapeshellarg.php once the script parameters are properly escaped in php, there should be no need for quoting in gosa.conf, and this patch might have to be reversed.
I see GOsa devs noticed the security issue 19 months ago : https://oss.gonicus.de/labs/gosa/ticket/1026 "Additionally the script parameter are not escaped right now, somebody could do nasty thing with it. I will have a look at this too. "
How serious is knowingly leaving such a vulnerability, with easy fix, open for 19 months ?