Bug 39376 - Validate input for certificate values
Validate input for certificate values
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC - Certificate settings
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.1-0-errata
Assigned To: Florian Best
Daniel Tröder
:
: 21494 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-22 07:26 CEST by Stefan Gohmann
Modified: 2016-07-01 14:29 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2015-09-22 07:26:38 CEST
See Ticket #2015091821000419

We should validate the input for the certificate settings.
Comment 1 Florian Best univentionstaff 2015-12-09 17:34:40 CET
The problem were especially the following characters:
$ and " caused the certificate creation to fail.
<b> caused that the HTML input was evaluated on all summary pages (wizard + non-wizard).

All input is validated to disallow invalid X.509 Name characters.
ASCII control/invisble characters are also not possible anymore (e.g. a null byte).

The openssl.cfg file is now created with escaped values.

Error handling has been added to the certificate generation setup script. If the creation fails the backup is restored. Otherwise the system is unusable, apache and slapd doesn't run anymore and a login is impossible.

The restart of the UMC-Server is deferred by 5 Seconds so that errors/success is shown in the frontend. It looked very ugly because the login dialog immediately popped up with a 0% progress bar in the certificate module.

I tested the creation of all fields with values like:
^°!e"§$%&/(  <b>   → )=?`#* äöz'ü><Aa09-.:,;

univention-ssl (10.0.0-10):
r66242 | Bug #39376: correctly escape " and $ in config variables

univention-system-setup.yaml:
r66244 | YAML Bug #39376

univention-ssl.yaml:
r66244 | YAML Bug #39376

univention-system-setup (9.0.2-19):
r66243 | Bug #39376: validate SSL related variables
Comment 2 Daniel Tröder univentionstaff 2016-01-12 08:58:48 CET
In "util.py":
* p.communicate("""... umc-web-server""") is missing "restart"
* Is it safe to assume, that atd is running? If not, the UMC-server-restart in run_scripts() could be modified to use fork() instead of at, to not be dependent on it.

In umc/python/setup/__init__.py:
* "for table in (stringprep.in_table_c21..." <- use in_table_c21_c22 instead?
Comment 3 Florian Best univentionstaff 2016-01-12 12:13:33 CET
(In reply to Daniel Tröder from comment #2)
> In "util.py":
> * p.communicate("""... umc-web-server""") is missing "restart"
Yes, thanks!
> * Is it safe to assume, that atd is running? If not, the UMC-server-restart
> in run_scripts() could be modified to use fork() instead of at, to not be
> dependent on it.
The system-setup-cleanup scripts are also executed by at so it must run. I added a package dependency as well (which is unneeded as linux depends on it).

> In umc/python/setup/__init__.py:
> * "for table in (stringprep.in_table_c21..." <- use in_table_c21_c22 instead?
Not really required but okay, so I added it.

univention-system-setup (9.0.2-25):
r66731 | Bug #39941: Bug #39376: restrict country codes in ldap/base; fix UMC-Webserver restart
Comment 4 Daniel Tröder univentionstaff 2016-01-13 14:24:40 CET
OK: code
OK: advisory 
OK: manual test (Uni°Ãäv~ent%ion G§mB$%h → uni-aev-ent-ion-g-mb-h)
Comment 5 Janek Walkenhorst univentionstaff 2016-01-27 16:24:20 CET
<http://errata.software-univention.de/ucs/4.1/70.html>
Comment 6 Stefan Gohmann univentionstaff 2016-02-02 19:36:35 CET
(In reply to Janek Walkenhorst from comment #5)
> <http://errata.software-univention.de/ucs/4.1/70.html>

Set back to verified.
Comment 7 Janek Walkenhorst univentionstaff 2016-02-04 13:55:46 CET
<http://errata.software-univention.de/ucs/4.1/97.html>
Comment 8 Florian Best univentionstaff 2016-07-01 14:29:21 CEST
*** Bug 21494 has been marked as a duplicate of this bug. ***