[Fedora-directory-commits] ldapserver/ldap/admin/src/scripts DSMigration.pm.in, 1.28, 1.29 Util.pm.in, 1.20, 1.21

Richard Allen Megginson rmeggins at fedoraproject.org
Fri Mar 13 14:27:53 UTC 2009 

Author: rmeggins

Update of /cvs/dirsec/ldapserver/ldap/admin/src/scripts
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv29040/ldapserver/ldap/admin/src/scripts

Modified Files:
	DSMigration.pm.in Util.pm.in 
Log Message:
Resolves: bug 489360
Bug Description: Replication Bind Failure After Migration from DS 7.1
Reviewed by: nkinder (Thanks!)
Fix Description: We have to quote shell metacharacters before passing them to the shell.  I added a new function shellEscape to use for this purpose.  We really should shell escape anything passed to system() or back ticks ``.  Certainly passwords should contain shell meta characters so I changed places where we use passwords to use shellEscape to pass them to pwdhash or migratecred.  I also chomp() the output of migratecred to remove the trailing newline.  With the fix, I was able to run setup with a root password of `~!@#$%^&*()\\|[]{}:;<>?/"\ and successfully authenticate.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no



Index: DSMigration.pm.in
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/admin/src/scripts/DSMigration.pm.in,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -r1.28 -r1.29
--- DSMigration.pm.in	27 Feb 2009 14:33:12 -0000	1.28
+++ DSMigration.pm.in	13 Mar 2009 14:27:50 -0000	1.29
@@ -222,19 +222,22 @@
 sub migrateCredentials {
     my ($ent, $attr, $mig, $inst) = @_;
     my $oldval = $ent->getValues($attr);
+    my $qoldval = shellEscape($oldval);
 
     # Older versions of the server on x86 systems and other systems that do not use network byte order
     # stored the credentials incorrectly.  The first step is to determine if this is the case.  We
     # migrate using the same server root to see if we get the same output as we input.
     debug(3, "In migrateCredentials - see how old credentials were encoded.\n");
-    my $testval = `@bindir@/migratecred -o $mig->{actualsroot}/$inst -n $mig->{actualsroot}/$inst -c \'$oldval\'`;
+    my $testval = `@bindir@/migratecred -o $mig->{actualsroot}/$inst -n $mig->{actualsroot}/$inst -c $qoldval`;
+    chomp($testval);
     if ($testval ne $oldval) { # need to turn on the special flag
         debug(3, "Credentials not encoded correctly.  oldval $oldval not equal to testval $testval.  The value will be re-encoded correctly.\n");
         $ENV{MIGRATE_BROKEN_PWD} = "1"; # decode and re-encode correctly
     }
         
-    debug(3, "Executing @bindir@/migratecred -o $mig->{actualsroot}/$inst -n @instconfigdir@/$inst -c \'$oldval\' . . .\n");
-    my $newval = `@bindir@/migratecred -o $mig->{actualsroot}/$inst -n @instconfigdir@/$inst -c \'$oldval\'`;
+    debug(3, "Executing @bindir@/migratecred -o $mig->{actualsroot}/$inst -n @instconfigdir@/$inst -c $qoldval . . .\n");
+    my $newval = `@bindir@/migratecred -o $mig->{actualsroot}/$inst -n @instconfigdir@/$inst -c $qoldval`;
+    chomp($newval);
     delete $ENV{MIGRATE_BROKEN_PWD}; # clear the flag, if set
     debug(3, "Converted old value [$oldval] to new value [$newval] for attr $attr in entry ", $ent->getDN(), "\n");
     return $newval;


Index: Util.pm.in
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/admin/src/scripts/Util.pm.in,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- Util.pm.in	27 Feb 2009 14:33:12 -0000	1.20
+++ Util.pm.in	13 Mar 2009 14:27:50 -0000	1.21
@@ -47,11 +47,11 @@
 @ISA       = qw(Exporter);
 @EXPORT    = qw(portAvailable getAvailablePort isValidDN addSuffix getMappedEntries
                 process_maptbl check_and_add_entry getMappedEntries
-                getHashedPassword debug createInfFromConfig
+                getHashedPassword debug createInfFromConfig shellEscape
                 isValidServerID isValidUser makePaths getLogin remove_tree remove_pidfile);
 @EXPORT_OK = qw(portAvailable getAvailablePort isValidDN addSuffix getMappedEntries
                 process_maptbl check_and_add_entry getMappedEntries
-                getHashedPassword debug createInfFromConfig
+                getHashedPassword debug createInfFromConfig shellEscape
                 isValidServerID isValidUser makePaths getLogin remove_tree remove_pidfile);
 
 use strict;
@@ -679,6 +679,20 @@
     return $mapper;
 }
 
+# given a string, escape the characters in the string
+# so that it can be safely passed to the shell via
+# the system() call or `` backticks
+sub shellEscape {
+    my $val = shift;
+    # first, escape the double quotes and slashes
+    $val =~ s/([\\"])/\\$1/g; # " font lock fun
+    # next, escape the rest of the special chars
+    my $special = '!$\' @#%^&*()|[\]{};:<>?/`';
+    $val =~ s/([$special])/\\$1/g;
+
+    return $val;
+}
+
 sub getHashedPassword {
     my $pwd = shift;
     my $alg = shift;
@@ -691,7 +705,7 @@
     if ($alg) {
         $cmd .= " -s $alg";
     }
-    $cmd .= " \'$pwd\'";
+    $cmd .= " " . shellEscape($pwd);
     my $hashedpwd = `$cmd`;
     chomp($hashedpwd);

More information about the Fedora-directory-commits mailing list