URL: https://github.com/freeipa/freeipa/pull/2368 Author: rcritten Title: #2368: [Backport][ipa-4-7] Use $(hostname -f) to determine hostname in mod_ssl password script Action: opened
PR body: """ This PR was opened automatically because PR #2303 was pushed to master and backport to ipa-4-7 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2368/head:pr2368 git checkout pr2368
From b5db903e10cd276a28265f9142ecc39e3f014350 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Wed, 19 Sep 2018 08:35:57 -0400 Subject: [PATCH] Try to resolve the name passed into the password reader to a file Rather than comparing the value passed in by Apache to a hostname value just see if there is a file of that name in /var/lib/ipa/passwds. Use realpath to see if path information was passed in as one of the options so that someone can't try to return random files from the filesystem. https://pagure.io/freeipa/issue/7528 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- install/tools/ipa-httpd-pwdreader | 33 +++++++++++-------------------- 1 file changed, 11 insertions(+), 22 deletions(-) diff --git a/install/tools/ipa-httpd-pwdreader b/install/tools/ipa-httpd-pwdreader index 20f43d9b95..db73293f04 100755 --- a/install/tools/ipa-httpd-pwdreader +++ b/install/tools/ipa-httpd-pwdreader @@ -5,32 +5,21 @@ # see the documentation of the aforementioned directive of the mod_ssl module. USAGE="./ipa-pwdreader host:port RSA|DSA|ECC|number" -ERR_UNKNOWN_KEY="\ -ERROR: You seem to be running a non-standard IPA installation. -Please extend the /var/libexec/ipa/ipa-pwdreader script to cover your case." -if [ ! "$#" -eq 2 ]; then +if [ "$#" -ne 2 ]; then echo "Wrong number of arguments!" 1>&2 echo "$USAGE" 1>&2 exit 1 fi +fname=${1/:/-}-$2 +pwdpath=/var/lib/ipa/passwds/$fname -case "$1" in - "${HOSTNAME}:443" ) - # Read IPA password - # IPA expects the password filename format to be - # <hostname>-<port>-<ecryption_algorithm> - IPA_PASSWD_PATH="/var/lib/ipa/passwds/${1/:/-}-$2" - cat $IPA_PASSWD_PATH - ;; -# ================ -# Extend for more virtual hosts with -# <vhostname>:<vhost_port> ) -# your_code -# ;; -# ================ - *) - echo "$ERR_UNKNOWN_KEY" 1>&2 - exit 1 -esac +# Make sure the values passed in do not contain path information +checkpath=$(/usr/bin/realpath -e ${pwdpath} 2>/dev/null) + +if [ $pwdpath == "${checkpath}" ]; then + cat $pwdpath +else + echo "Invalid path ${pwdpath}" 1>&2 +fi
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org