Bug 24758 – Insecure quoting, global variables in umc.sh, join fails if password contains space

Bug 24758 - Insecure quoting, global variables in umc.sh, join fails if password contains space


Summary:	Insecure quoting, global variables in umc.sh, join fails if password contains...

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	univention-lib
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.1-3-errata
Assigned To:	Philipp Hahn
QA Contact:	Florian Best

URL:
Keywords:

Duplicates:	25884 26827 41615 41874 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2011-11-21 14:01 CET by Philipp Hahn
Modified:	2016-10-20 12:39 CEST (History)
CC List:	7 users (show)

See Also:
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Further conceptual development, Security, Troubleshooting
Max CVSS v3 score:

Flags:	hahn: Patch_Available+

Attachments
Workaround shell quoting (4.42 KB, patch) 2013-07-17 19:08 CEST, Philipp Hahn	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2011-11-21 14:01:59 CET

Bei der QA für Bug #24330 ist aufgefallen, das umc.sh mehrere Funktionen deklariert, die ggf. globale Variablen überschreiben, und Variablen nicht korrekt quotet.

> BIND_ARGS="$@"
ist äquivalent zu BIND_ARGS=$* und zerstört ggf. Leerzeichen in Argumenten

> timestamp=$(date +'%Y%d%m%H%M%S')
+local
> for ifile in index.html debug.html; do
+local
> for idir in css js; do
+local
> for f in /usr/share/univention-management-console-frontend/${idir}_\$*\$; do
+local

> udm container/cn create $BIND_ARGS --ignore_exists --position cn=univention,$ldap_base --set name=UMC
$BIND_ARGS wird anhand von $IFS aufgespalten.
Quoting von "$ldap_base"

> udm $module remove $BIND_ARGS --dn "cn=$name,$container,$ldap_base"
"$module"

> operations="$operations --append operation=$oper "
IFS

> ops="$ops --append allow=cn=$op,cn=operations,cn=UMC,cn=univention,$ldap_base "
IFS


Für das korrekte Quoting entweder als bash-Skript umschreiben und Bash-Arrays verwenden, oder
eval ... $(quote "$cmd_line_argument") verwenden

Comment 1 Philipp Hahn

2013-07-17 18:02:25 CEST

*** Bug 26827 has been marked as a duplicate of this bug. ***

Comment 2 Philipp Hahn

2013-07-17 18:02:35 CEST

*** Bug 25884 has been marked as a duplicate of this bug. ***

Comment 3 Philipp Hahn

2013-07-17 19:08:41 CEST

Created attachment 5327 [details]
Workaround shell quoting

This was motivated by:

34univention-management-console-server.inst:
> WARNING: the following arguments are ignored: "am" "Main,dc=phahn,dc=dev" "univention" "--ignore_exists" "--position" "cn=univention,dc=phahn,dc=dev" "--set" "name=UMC"
> E: Insufficient information
> The following parameters are missing:
> name


Alternative declare that Join-Scripts must use #!/bin/bash and use BIND=("$@"):
$ git grep -l /usr/share/univention-lib/umc.sh
base/univention-firewall/35univention-management-console-module-firewall.inst
base/univention-lib/shell/all.sh
base/univention-quota/35univention-management-console-module-quota.inst
base/univention-system-setup/35univention-management-console-module-setup.inst
base/univention-updater/35univention-management-console-module-updater.inst
management/univention-admingrp-user-passwordreset/95univention-admingrp-user-passwordreset.inst
management/univention-join/35univention-management-console-module-join.inst
management/univention-management-console-frontend/debian/univention-management-console-frontend.postinst
management/univention-management-console-module-appcenter/35univention-management-console-module-appcenter.inst
management/univention-management-console-module-appcenter/36univention-management-console-module-apps.inst
management/univention-management-console-module-ipchange/35univention-management-console-module-ipchange.inst
management/univention-management-console-module-lib/35univention-management-console-module-lib.inst
management/univention-management-console-module-luga/35univention-management-console-module-luga.inst
management/univention-management-console-module-mrtg/35univention-management-console-module-mrtg.inst
management/univention-management-console-module-reboot/35univention-management-console-module-reboot.inst
management/univention-management-console-module-services/35univention-management-console-module-services.inst
management/univention-management-console-module-top/35univention-management-console-module-top.inst
management/univention-management-console-module-ucr/35univention-management-console-module-ucr.inst
management/univention-management-console-module-udm/35univention-management-console-module-udm.inst
management/univention-management-console/34univention-management-console-server.inst
management/univention-management-console/dev/dh-umc-module-install
management/univention-management-console/tests/sanitizer/install.sh
management/univention-management-console/umc-module-templates/grid_with_detailpage/35PACKAGENAME.inst
management/univention-management-console/umc-module-templates/simple_form/35PACKAGENAME.inst
management/univention-system-info/35univention-management-console-module-sysinfo.inst
packaging/ucslint/testframework/0001-6-7/0001-6-7.inst
services/univention-ad-connector/35univention-management-console-module-adconnector.inst
services/univention-pkgdb/35univention-management-console-module-pkgdb.inst
services/univention-printserver/35univention-management-console-module-printers.inst
virtualization/univention-virtual-machine-manager-daemon/45univention-management-console-module-uvmm.inst


See Bug #31996 for a notion to get rid of "$@" altogether.

Comment 4 Erik Damrose

2016-02-15 16:17:12 CET

UCS 4.1: This causes the domain join to fail if the Administrator password contains a space:

Configure 34univention-management-console-server.inst Mon Feb 15 13:45:59 CET 2016
WARNING: the following arguments are ignored: "<PASSWORD_CHARS_AFTER_SPACE>" "--ignore_exists" "--position" "cn=univention,dc=xx,dc=xx" "--set" "name=UMC"
authentication error: Authentication failed

Ticket#2016020921000401

Comment 5 Michael Grandjean

2016-06-20 15:36:45 CEST

*** Bug 41615 has been marked as a duplicate of this bug. ***

Comment 6 Erik Damrose

2016-08-01 13:08:15 CEST

*** Bug 41874 has been marked as a duplicate of this bug. ***

Comment 7 Erik Damrose

2016-08-01 13:12:02 CEST

Set MS to 4.1-2-errata, from bug #41874

Comment 8 Arvid Requate

2016-08-01 13:26:26 CEST

I'd like to vote for bash arrays "${BIND_ARGS[@]}", but I can't, because univention-lib gets included from dash/sh scripts too.

Comment 9 Philipp Hahn

2016-10-17 13:33:35 CEST

$ git grep -l /usr/share/univention-lib/umc.sh | xargs grep -l /bin/bash | wc -l
3
$ git grep -l /usr/share/univention-lib/umc.sh | xargs grep -l /bin/sh | wc -l
39

r73287 | Bug #24758 lib: Fix quoting in umc.sh
r73286 | Bug #24758 lib: Fix quoting in umc.sh

Package: univention-lib
Version: 5.0.0-16.323.201610171329
Branch: ucs_4.1-0
Scope: errata4.1-3

r73288 | Bug #24758 lib: Fix quoting in umc.sh YAML
 univention-lib.yaml

QA:
 dn="uid=Administrator, cn=users , $(ucr get ldap/base)"
 udm users/user list --bindd "$dn" --bindpwd univention | grep ^DN:
 set -- --bindd "$dn" --bindpwd univention
 . /usr/share/univention-lib/umc.sh
 _umc_udm users/user list | grep ^DN:

Comment 10 Florian Best

2016-10-17 17:27:20 CEST

OK: shell compatibility
OK: local variables
OK: spaces in parameters
OK: YAML
OK: UCS 4.2 merge

root@xen7:~# /bin/sh
\u@\h:\w$ dn="uid=Administrator, cn=users , $(ucr get ldap/base)"
\u@\h:\w$ set -- --bindd "$dn" --bindpwd univention
\u@\h:\w$ . /usr/share/univention-lib/umc.sh
\u@\h:\w$ umc_operation_create bar bar "" bar baz "foo blub"
Object created: cn=bar,cn=operations,cn=UMC,cn=univention,dc=school,dc=local
\u@\h:\w$ univention-ldapsearch -LLLoldif-wrap=no -b cn=bar,cn=operations,cn=UMC,cn=univention,dc=school,dc=local umcOperationSetCommand
umcOperationSetCommand: bar
umcOperationSetCommand: baz
umcOperationSetCommand: foo:blub

Comment 11 Janek Walkenhorst

2016-10-20 12:39:49 CEST

<http://errata.software-univention.de/ucs/4.1/296.html>