Univention Bugzilla – Bug 39376
Validate input for certificate values
Last modified: 2016-07-01 14:29:21 CEST
See Ticket #2015091821000419 We should validate the input for the certificate settings.
The problem were especially the following characters: $ and " caused the certificate creation to fail. <b> caused that the HTML input was evaluated on all summary pages (wizard + non-wizard). All input is validated to disallow invalid X.509 Name characters. ASCII control/invisble characters are also not possible anymore (e.g. a null byte). The openssl.cfg file is now created with escaped values. Error handling has been added to the certificate generation setup script. If the creation fails the backup is restored. Otherwise the system is unusable, apache and slapd doesn't run anymore and a login is impossible. The restart of the UMC-Server is deferred by 5 Seconds so that errors/success is shown in the frontend. It looked very ugly because the login dialog immediately popped up with a 0% progress bar in the certificate module. I tested the creation of all fields with values like: ^°!e"§$%&/( <b> → )=?`#* äöz'ü><Aa09-.:,; univention-ssl (10.0.0-10): r66242 | Bug #39376: correctly escape " and $ in config variables univention-system-setup.yaml: r66244 | YAML Bug #39376 univention-ssl.yaml: r66244 | YAML Bug #39376 univention-system-setup (9.0.2-19): r66243 | Bug #39376: validate SSL related variables
In "util.py": * p.communicate("""... umc-web-server""") is missing "restart" * Is it safe to assume, that atd is running? If not, the UMC-server-restart in run_scripts() could be modified to use fork() instead of at, to not be dependent on it. In umc/python/setup/__init__.py: * "for table in (stringprep.in_table_c21..." <- use in_table_c21_c22 instead?
(In reply to Daniel Tröder from comment #2) > In "util.py": > * p.communicate("""... umc-web-server""") is missing "restart" Yes, thanks! > * Is it safe to assume, that atd is running? If not, the UMC-server-restart > in run_scripts() could be modified to use fork() instead of at, to not be > dependent on it. The system-setup-cleanup scripts are also executed by at so it must run. I added a package dependency as well (which is unneeded as linux depends on it). > In umc/python/setup/__init__.py: > * "for table in (stringprep.in_table_c21..." <- use in_table_c21_c22 instead? Not really required but okay, so I added it. univention-system-setup (9.0.2-25): r66731 | Bug #39941: Bug #39376: restrict country codes in ldap/base; fix UMC-Webserver restart
OK: code OK: advisory OK: manual test (Uni°Ãäv~ent%ion G§mB$%h → uni-aev-ent-ion-g-mb-h)
<http://errata.software-univention.de/ucs/4.1/70.html>
(In reply to Janek Walkenhorst from comment #5) > <http://errata.software-univention.de/ucs/4.1/70.html> Set back to verified.
<http://errata.software-univention.de/ucs/4.1/97.html>
*** Bug 21494 has been marked as a duplicate of this bug. ***