diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-11-30 17:00:54 -0500 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2010-12-17 16:50:14 -0500 |
commit | 623abc6bdff15a77fc14eac9dc1af975e9d98b2f (patch) | |
tree | 817425f0de3d1e283a90c5f6a9d2a595da74d23f | |
parent | 67d1c0711283e840a68597e119daabbf3d090872 (diff) | |
download | freeipa-623abc6bdff15a77fc14eac9dc1af975e9d98b2f.tar.gz freeipa-623abc6bdff15a77fc14eac9dc1af975e9d98b2f.tar.xz freeipa-623abc6bdff15a77fc14eac9dc1af975e9d98b2f.zip |
Properly quote passwords sent to pkisilent so special characters work.
Also check for url-encoded passwords before logging them.
ticket 324
-rw-r--r-- | ipapython/ipautil.py | 5 | ||||
-rw-r--r-- | ipaserver/install/cainstance.py | 14 |
2 files changed, 12 insertions, 7 deletions
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 9a3e8a6a..236de51f 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -28,6 +28,7 @@ import random import os, sys, traceback, readline import stat import shutil +import urllib2 from ipapython import ipavalidate from types import * @@ -129,6 +130,10 @@ def run(args, stdin=None, raiseonerr=True, nolog=(), env=None): args = args.replace(value, 'XXXXXXXX') stdout = stdout.replace(value, 'XXXXXXXX') stderr = stderr.replace(value, 'XXXXXXXX') + quoted = urllib2.quote(value) + args = args.replace(quoted, 'XXXXXXXX') + stdout = stdout.replace(quoted, 'XXXXXXXX') + stderr = stderr.replace(quoted, 'XXXXXXXX') logging.info('args=%s' % args) logging.info('stdout=%s' % stdout) logging.info('stderr=%s' % stderr) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 7cc8d50a..9d7a4c23 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -507,12 +507,12 @@ class CAInstance(service.Service): "-cs_hostname", self.host_name, "-cs_port", str(ADMIN_SECURE_PORT), "-client_certdb_dir", self.ca_agent_db, - "-client_certdb_pwd", '"%s"' % self.admin_password, + "-client_certdb_pwd", "'%s'" % self.admin_password, "-preop_pin" , preop_pin, "-domain_name", self.domain_name, "-admin_user", "admin", "-admin_email", "root@localhost", - "-admin_password", '"%s"' % self.admin_password, + "-admin_password", "'%s'" % self.admin_password, "-agent_name", "ipa-ca-agent", "-agent_key_size", "2048", "-agent_key_type", "rsa", @@ -520,14 +520,14 @@ class CAInstance(service.Service): "-ldap_host", self.host_name, "-ldap_port", str(self.ds_port), "-bind_dn", "\"cn=Directory Manager\"", - "-bind_password", '"%s"' % self.dm_password, + "-bind_password", "'%s'" % self.dm_password, "-base_dn", self.basedn, "-db_name", "ipaca", "-key_size", "2048", "-key_type", "rsa", "-key_algorithm", "SHA256withRSA", "-save_p12", "true", - "-backup_pwd", '"%s"' % self.admin_password, + "-backup_pwd", "'%s'" % self.admin_password, "-subsystem_name", self.service_name, "-token_name", "internal", "-ca_subsystem_cert_subject_name", "\"CN=CA Subsystem,%s\"" % self.subject_base, @@ -565,7 +565,7 @@ class CAInstance(service.Service): args.append("-clone_p12_file") args.append("ca.p12") args.append("-clone_p12_password") - args.append('"%s"' % self.dm_password) + args.append("'%s'" % self.dm_password) args.append("-sd_hostname") args.append(self.master_host) args.append("-sd_admin_port") @@ -573,7 +573,7 @@ class CAInstance(service.Service): args.append("-sd_admin_name") args.append("admin") args.append("-sd_admin_password") - args.append('"%s"' % self.admin_password) + args.append("'%s'" % self.admin_password) args.append("-clone_uri") args.append("https://%s:%d" % (self.master_host, EE_SECURE_PORT)) else: @@ -775,7 +775,7 @@ class CAInstance(service.Service): pwd_file = self.ra_agent_pwd new_args = ["/usr/bin/certutil", "-d", database, "-f", pwd_file] new_args = new_args + args - return ipautil.run(new_args, stdin) + return ipautil.run(new_args, stdin, nolog=(pwd_file,)) def __create_ra_agent_db(self): if ipautil.file_exists(self.ra_agent_db + "/cert8.db"): |