https://fedorahosted.org/freeipa/ticket/2675

I've tested all ASCII non-alphanumeric characters that weren't blocked already. With all except for '<' I've succeeded. Non-ASCII characters also don't work in passwords. (Not that it'd be a good idea to use those.)


--
PetrĀ³
From 700f56d78e1a08ba3a39f9987f12c9bd84c870ce Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Fri, 11 May 2012 09:08:59 -0400
Subject: [PATCH] Disallow '<' and non-ASCII characters in the DM password

pkisilent does not handle these properly.

https://fedorahosted.org/freeipa/ticket/2675
---
 install/tools/ipa-server-install |   14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index f3377df6d0351215504174fe68cafd71d3dca6dc..a5aa1deda4463d56b366a0daa9d1f7eb32f24d0c 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -102,12 +102,14 @@ def validate_dm_password(password):
         raise ValueError("Password must be at least 8 characters long")
     if any(ord(c) < 0x20 for c in password):
         raise ValueError("Password must not contain control characters")
-    if ' ' in password:
-        raise ValueError("Password must not contain a space (\" \")")
-    if '&' in password:
-        raise ValueError("Password must not contain an ampersand (\"&\")")
-    if '\\' in password:
-        raise ValueError("Password must not contain a backslash (\"\\\")")
+    if any(ord(c) >= 0x7F for c in password):
+        raise ValueError("Password must only contain ASCII characters")
+
+    # Disallow characters that pkisilent doesn't process properly:
+    bad_characters = ' &\\<'
+    if any(c in bad_characters for c in password):
+        raise ValueError('Password must not contain these characters: %s' %
+            ', '.join('"%s"' % c for c in bad_characters))
 
 def parse_options():
     # Guaranteed to give a random 200k range below the 2G mark (uint32_t limit)
-- 
1.7.10.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to