summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2010-11-30 17:00:54 -0500
committerSimo Sorce <ssorce@redhat.com>2010-12-17 16:50:14 -0500
commit623abc6bdff15a77fc14eac9dc1af975e9d98b2f (patch)
tree817425f0de3d1e283a90c5f6a9d2a595da74d23f
parent67d1c0711283e840a68597e119daabbf3d090872 (diff)
downloadfreeipa-623abc6bdff15a77fc14eac9dc1af975e9d98b2f.tar.gz
freeipa-623abc6bdff15a77fc14eac9dc1af975e9d98b2f.tar.xz
freeipa-623abc6bdff15a77fc14eac9dc1af975e9d98b2f.zip
Properly quote passwords sent to pkisilent so special characters work.
Also check for url-encoded passwords before logging them. ticket 324
-rw-r--r--ipapython/ipautil.py5
-rw-r--r--ipaserver/install/cainstance.py14
2 files changed, 12 insertions, 7 deletions
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 9a3e8a6a..236de51f 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -28,6 +28,7 @@ import random
import os, sys, traceback, readline
import stat
import shutil
+import urllib2
from ipapython import ipavalidate
from types import *
@@ -129,6 +130,10 @@ def run(args, stdin=None, raiseonerr=True, nolog=(), env=None):
args = args.replace(value, 'XXXXXXXX')
stdout = stdout.replace(value, 'XXXXXXXX')
stderr = stderr.replace(value, 'XXXXXXXX')
+ quoted = urllib2.quote(value)
+ args = args.replace(quoted, 'XXXXXXXX')
+ stdout = stdout.replace(quoted, 'XXXXXXXX')
+ stderr = stderr.replace(quoted, 'XXXXXXXX')
logging.info('args=%s' % args)
logging.info('stdout=%s' % stdout)
logging.info('stderr=%s' % stderr)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 7cc8d50a..9d7a4c23 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -507,12 +507,12 @@ class CAInstance(service.Service):
"-cs_hostname", self.host_name,
"-cs_port", str(ADMIN_SECURE_PORT),
"-client_certdb_dir", self.ca_agent_db,
- "-client_certdb_pwd", '"%s"' % self.admin_password,
+ "-client_certdb_pwd", "'%s'" % self.admin_password,
"-preop_pin" , preop_pin,
"-domain_name", self.domain_name,
"-admin_user", "admin",
"-admin_email", "root@localhost",
- "-admin_password", '"%s"' % self.admin_password,
+ "-admin_password", "'%s'" % self.admin_password,
"-agent_name", "ipa-ca-agent",
"-agent_key_size", "2048",
"-agent_key_type", "rsa",
@@ -520,14 +520,14 @@ class CAInstance(service.Service):
"-ldap_host", self.host_name,
"-ldap_port", str(self.ds_port),
"-bind_dn", "\"cn=Directory Manager\"",
- "-bind_password", '"%s"' % self.dm_password,
+ "-bind_password", "'%s'" % self.dm_password,
"-base_dn", self.basedn,
"-db_name", "ipaca",
"-key_size", "2048",
"-key_type", "rsa",
"-key_algorithm", "SHA256withRSA",
"-save_p12", "true",
- "-backup_pwd", '"%s"' % self.admin_password,
+ "-backup_pwd", "'%s'" % self.admin_password,
"-subsystem_name", self.service_name,
"-token_name", "internal",
"-ca_subsystem_cert_subject_name", "\"CN=CA Subsystem,%s\"" % self.subject_base,
@@ -565,7 +565,7 @@ class CAInstance(service.Service):
args.append("-clone_p12_file")
args.append("ca.p12")
args.append("-clone_p12_password")
- args.append('"%s"' % self.dm_password)
+ args.append("'%s'" % self.dm_password)
args.append("-sd_hostname")
args.append(self.master_host)
args.append("-sd_admin_port")
@@ -573,7 +573,7 @@ class CAInstance(service.Service):
args.append("-sd_admin_name")
args.append("admin")
args.append("-sd_admin_password")
- args.append('"%s"' % self.admin_password)
+ args.append("'%s'" % self.admin_password)
args.append("-clone_uri")
args.append("https://%s:%d" % (self.master_host, EE_SECURE_PORT))
else:
@@ -775,7 +775,7 @@ class CAInstance(service.Service):
pwd_file = self.ra_agent_pwd
new_args = ["/usr/bin/certutil", "-d", database, "-f", pwd_file]
new_args = new_args + args
- return ipautil.run(new_args, stdin)
+ return ipautil.run(new_args, stdin, nolog=(pwd_file,))
def __create_ra_agent_db(self):
if ipautil.file_exists(self.ra_agent_db + "/cert8.db"):