Comment 1 Florian Best 2015-12-09 17:34:40 CET

The problem were especially the following characters:
$ and " caused the certificate creation to fail.
<b> caused that the HTML input was evaluated on all summary pages (wizard + non-wizard).

All input is validated to disallow invalid X.509 Name characters.
ASCII control/invisble characters are also not possible anymore (e.g. a null byte).

The openssl.cfg file is now created with escaped values.

Error handling has been added to the certificate generation setup script. If the creation fails the backup is restored. Otherwise the system is unusable, apache and slapd doesn't run anymore and a login is impossible.

The restart of the UMC-Server is deferred by 5 Seconds so that errors/success is shown in the frontend. It looked very ugly because the login dialog immediately popped up with a 0% progress bar in the certificate module.

I tested the creation of all fields with values like:
^°!e"§$%&/(  <b>   → )=?`#* äöz'ü><Aa09-.:,;

univention-ssl (10.0.0-10):
r66242 | Bug #39376: correctly escape " and $ in config variables

univention-system-setup.yaml:
r66244 | YAML Bug #39376

univention-ssl.yaml:
r66244 | YAML Bug #39376

univention-system-setup (9.0.2-19):
r66243 | Bug #39376: validate SSL related variables

Comment 2 Daniel Tröder 2016-01-12 08:58:48 CET

In "util.py":
* p.communicate("""... umc-web-server""") is missing "restart"
* Is it safe to assume, that atd is running? If not, the UMC-server-restart in run_scripts() could be modified to use fork() instead of at, to not be dependent on it.

In umc/python/setup/__init__.py:
* "for table in (stringprep.in_table_c21..." <- use in_table_c21_c22 instead?

Comment 3 Florian Best 2016-01-12 12:13:33 CET

(In reply to Daniel Tröder from comment #2)
> In "util.py":
> * p.communicate("""... umc-web-server""") is missing "restart"
Yes, thanks!
> * Is it safe to assume, that atd is running? If not, the UMC-server-restart
> in run_scripts() could be modified to use fork() instead of at, to not be
> dependent on it.
The system-setup-cleanup scripts are also executed by at so it must run. I added a package dependency as well (which is unneeded as linux depends on it).

> In umc/python/setup/__init__.py:
> * "for table in (stringprep.in_table_c21..." <- use in_table_c21_c22 instead?
Not really required but okay, so I added it.

univention-system-setup (9.0.2-25):
r66731 | Bug #39941: Bug #39376: restrict country codes in ldap/base; fix UMC-Webserver restart

Comment 4 Daniel Tröder 2016-01-13 14:24:40 CET

OK: code
OK: advisory 
OK: manual test (Uni°Ãäv~ent%ion G§mB$%h → uni-aev-ent-ion-g-mb-h)

Comment 5 Janek Walkenhorst 2016-01-27 16:24:20 CET

<http://errata.software-univention.de/ucs/4.1/70.html>

Comment 6 Stefan Gohmann 2016-02-02 19:36:35 CET

(In reply to Janek Walkenhorst from comment #5)
> <http://errata.software-univention.de/ucs/4.1/70.html>

Set back to verified.

Comment 7 Janek Walkenhorst 2016-02-04 13:55:46 CET

<http://errata.software-univention.de/ucs/4.1/97.html>

Comment 8 Florian Best 2016-07-01 14:29:21 CEST

*** Bug 21494 has been marked as a duplicate of this bug. ***