Bug#665696: gosa-sync breaks on passwords containing spaces
tags 665696 + security
clone 665696 -1
reassign -1 gosa
retitle -1 gosa: unescaped arguments used on a command line
found -1 gosa/2.6.11-3
found -1 gosa/2.6.11-3+squeeze1
fixed -1 gosa/2.7.3-1
tags -1 + squeeze fixed-upstream
blocks 665696 by -1
thanks
Hi!
So, the problem here was that %userPassword, or similar string
substitutions into command lines specified in gosa.conf, are not
escaped; and adding quotes to the gosa.conf file cannot properly escape
them either.
On 27/03/12 10:27, Petter Reinholdtsen wrote:
> [Samuel Krempp]
>> [...] to escape userPassword (in functions.inc).
>
> OK. Then I believe we should patch gosa instead to fix it properly
> and completely, and get a fix into squeeze. For r1 we should probably
> provide our own patched package, until a update make it into squeeze
> proper.
I was going to suggest we chase this upstream, but then I noticed:
> * gosa 2.6.12
> - Escaped command line arguments in some locations
> - Updated password handling and hooks, allows sepcial chars in passwords
> - Added lock/unlock events for users
> $ grep -nR %userP gosa-core-2.6.13/
> gosa-core-2.6.13/include/functions.inc:3075: $command= preg_replace("/%userPassword/", escapeshellarg($password), $command);
> $ ls -al gosa-core-2.6.13/include/functions.inc
> -rw-r--r-- 1 steven steven 104887 Dec 14 2010 gosa-core-2.6.13/include/functions.inc
They already fixed this in the 2.6 series (back in December), and
apparently made similar fixes in other places too?
In my opinion the fixes of 2.6.12 want to go into Debian s-p-u. Maybe
even to security if it could be an issue outside of Debian Edu;
fortunately I think the 'sudo' command line in gosa.conf was something
specific to Debian Edu and that other GOsa users are not at such a risk
by default.
Regards,
--
Steven Chamberlain
steven@pyro.eu.org
Reply to: