diff options
author | Rich Megginson <rmeggins@redhat.com> | 2009-03-13 14:27:50 +0000 |
---|---|---|
committer | Rich Megginson <rmeggins@redhat.com> | 2009-03-13 14:27:50 +0000 |
commit | a0ab21a70e13be07542ea92374f278f56e29ccfd (patch) | |
tree | de31d25388d32ef9ede56f81052396bafb6b4089 | |
parent | 1b87897a086bbfcd621cfdba35b4890f1ece3e83 (diff) | |
download | ds-a0ab21a70e13be07542ea92374f278f56e29ccfd.tar.gz ds-a0ab21a70e13be07542ea92374f278f56e29ccfd.tar.xz ds-a0ab21a70e13be07542ea92374f278f56e29ccfd.zip |
Resolves: bug 489360
Bug Description: Replication Bind Failure After Migration from DS 7.1
Reviewed by: nkinder (Thanks!)
Fix Description: We have to quote shell metacharacters before passing them to the shell. I added a new function shellEscape to use for this purpose. We really should shell escape anything passed to system() or back ticks ``. Certainly passwords should contain shell meta characters so I changed places where we use passwords to use shellEscape to pass them to pwdhash or migratecred. I also chomp() the output of migratecred to remove the trailing newline. With the fix, I was able to run setup with a root password of `~!@#$%^&*()\\|[]{}:;<>?/"\ and successfully authenticate.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
-rw-r--r-- | ldap/admin/src/scripts/DSMigration.pm.in | 9 | ||||
-rw-r--r-- | ldap/admin/src/scripts/Util.pm.in | 20 |
2 files changed, 23 insertions, 6 deletions
diff --git a/ldap/admin/src/scripts/DSMigration.pm.in b/ldap/admin/src/scripts/DSMigration.pm.in index 58f6227a..dfd4021c 100644 --- a/ldap/admin/src/scripts/DSMigration.pm.in +++ b/ldap/admin/src/scripts/DSMigration.pm.in @@ -222,19 +222,22 @@ sub getNewDbDir { sub migrateCredentials { my ($ent, $attr, $mig, $inst) = @_; my $oldval = $ent->getValues($attr); + my $qoldval = shellEscape($oldval); # Older versions of the server on x86 systems and other systems that do not use network byte order # stored the credentials incorrectly. The first step is to determine if this is the case. We # migrate using the same server root to see if we get the same output as we input. debug(3, "In migrateCredentials - see how old credentials were encoded.\n"); - my $testval = `@bindir@/migratecred -o $mig->{actualsroot}/$inst -n $mig->{actualsroot}/$inst -c \'$oldval\'`; + my $testval = `@bindir@/migratecred -o $mig->{actualsroot}/$inst -n $mig->{actualsroot}/$inst -c $qoldval`; + chomp($testval); if ($testval ne $oldval) { # need to turn on the special flag debug(3, "Credentials not encoded correctly. oldval $oldval not equal to testval $testval. The value will be re-encoded correctly.\n"); $ENV{MIGRATE_BROKEN_PWD} = "1"; # decode and re-encode correctly } - debug(3, "Executing @bindir@/migratecred -o $mig->{actualsroot}/$inst -n @instconfigdir@/$inst -c \'$oldval\' . . .\n"); - my $newval = `@bindir@/migratecred -o $mig->{actualsroot}/$inst -n @instconfigdir@/$inst -c \'$oldval\'`; + debug(3, "Executing @bindir@/migratecred -o $mig->{actualsroot}/$inst -n @instconfigdir@/$inst -c $qoldval . . .\n"); + my $newval = `@bindir@/migratecred -o $mig->{actualsroot}/$inst -n @instconfigdir@/$inst -c $qoldval`; + chomp($newval); delete $ENV{MIGRATE_BROKEN_PWD}; # clear the flag, if set debug(3, "Converted old value [$oldval] to new value [$newval] for attr $attr in entry ", $ent->getDN(), "\n"); return $newval; diff --git a/ldap/admin/src/scripts/Util.pm.in b/ldap/admin/src/scripts/Util.pm.in index 57473833..e90f3c10 100644 --- a/ldap/admin/src/scripts/Util.pm.in +++ b/ldap/admin/src/scripts/Util.pm.in @@ -47,11 +47,11 @@ require Exporter; @ISA = qw(Exporter); @EXPORT = qw(portAvailable getAvailablePort isValidDN addSuffix getMappedEntries process_maptbl check_and_add_entry getMappedEntries - getHashedPassword debug createInfFromConfig + getHashedPassword debug createInfFromConfig shellEscape isValidServerID isValidUser makePaths getLogin remove_tree remove_pidfile); @EXPORT_OK = qw(portAvailable getAvailablePort isValidDN addSuffix getMappedEntries process_maptbl check_and_add_entry getMappedEntries - getHashedPassword debug createInfFromConfig + getHashedPassword debug createInfFromConfig shellEscape isValidServerID isValidUser makePaths getLogin remove_tree remove_pidfile); use strict; @@ -679,6 +679,20 @@ sub process_maptbl return $mapper; } +# given a string, escape the characters in the string +# so that it can be safely passed to the shell via +# the system() call or `` backticks +sub shellEscape { + my $val = shift; + # first, escape the double quotes and slashes + $val =~ s/([\\"])/\\$1/g; # " font lock fun + # next, escape the rest of the special chars + my $special = '!$\' @#%^&*()|[\]{};:<>?/`'; + $val =~ s/([$special])/\\$1/g; + + return $val; +} + sub getHashedPassword { my $pwd = shift; my $alg = shift; @@ -691,7 +705,7 @@ sub getHashedPassword { if ($alg) { $cmd .= " -s $alg"; } - $cmd .= " \'$pwd\'"; + $cmd .= " " . shellEscape($pwd); my $hashedpwd = `$cmd`; chomp($hashedpwd); |