Petter Reinholdtsen a écrit, le 25/03/2012 10:45:
tags 665696 + pending
thanks
[Samuel Krempp]
following patch just adds the quoting, and was verified to fix the
issue.
Thank you. I have commited the fix to svn.
the issue remains for other special characters, at least quotes. But the
only way to really solve the issue is in GOsa functions.inc :
$command= preg_replace("/%userPassword/", $password, $command);
$password should be properly escaped here otherwise there is no way to
write a safe command-line using %userPassword.
The proper solution seems to be
http://php.net/manual/en/function.escapeshellarg.php
once the script parameters are properly escaped in php, there should be
no need for quoting in gosa.conf, and this patch might have to be reversed.
I see GOsa devs noticed the security issue 19 months ago :
https://oss.gonicus.de/labs/gosa/ticket/1026
"Additionally the script parameter are not escaped right now, somebody
could do nasty thing with it. I will have a look at this too. "
How serious is knowingly leaving such a vulnerability, with easy fix,
open for 19 months ?
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org