andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 months ago
Clone
dc8c34
From cfb84033a5bb0748718d9e303a64591475ff1f2d Mon Sep 17 00:00:00 2001
dc8c34
From: Noriko Hosoi <nhosoi@redhat.com>
dc8c34
Date: Thu, 16 Apr 2015 16:10:49 -0700
dc8c34
Subject: [PATCH 315/319] Ticket #48143 - Password is not correctly passed to
dc8c34
 perl command line tools if it contains shell special characters.
dc8c34
dc8c34
Description: If a password contains shell special characters such as '$', '!',
dc8c34
'"', or ''', they were evaluated before passing to the core programs, e.g.,
dc8c34
ns-slapd for import and export or ldapmodify for tasks.
dc8c34
dc8c34
This patch escapes the special characters using shellEscape subroutine
dc8c34
in DSUtil.pm.
dc8c34
dc8c34
Example:
dc8c34
  Directory Manager Password: pas$w!or'd"
dc8c34
  $ ./db2ldif.pl -n userRoot -D 'cn=directory manager' -w pas\$w\!or\'d\"
dc8c34
  Successfully added task entry "cn=export_2015_4_7_15_17_16,cn=export,cn=tasks,cn=config"
dc8c34
dc8c34
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
dc8c34
dc8c34
https://fedorahosted.org/389/ticket/48143
dc8c34
(cherry picked from commit 68b1039769e8fd8d3ee39bcac8f57f7f3d37ee1a)
dc8c34
---
dc8c34
 ldap/admin/src/scripts/template-bak2db.pl.in       |  6 +++++-
dc8c34
 ldap/admin/src/scripts/template-cleanallruv.pl.in  |  6 +++++-
dc8c34
 ldap/admin/src/scripts/template-db2bak.pl.in       |  6 +++++-
dc8c34
 ldap/admin/src/scripts/template-db2index.pl.in     |  6 +++++-
dc8c34
 ldap/admin/src/scripts/template-db2ldif.pl.in      |  6 +++++-
dc8c34
 .../src/scripts/template-fixup-linkedattrs.pl.in   |  6 +++++-
dc8c34
 .../src/scripts/template-fixup-memberof.pl.in      |  6 +++++-
dc8c34
 ldap/admin/src/scripts/template-ldif2db.pl.in      |  6 +++++-
dc8c34
 .../src/scripts/template-ns-accountstatus.pl.in    | 25 +++++++++++++---------
dc8c34
 ldap/admin/src/scripts/template-ns-activate.pl.in  | 25 +++++++++++++---------
dc8c34
 .../admin/src/scripts/template-ns-inactivate.pl.in | 25 +++++++++++++---------
dc8c34
 .../src/scripts/template-ns-newpwpolicy.pl.in      | 10 +++++----
dc8c34
 .../admin/src/scripts/template-schema-reload.pl.in |  6 +++++-
dc8c34
 .../src/scripts/template-syntax-validate.pl.in     |  6 +++++-
dc8c34
 .../scripts/template-usn-tombstone-cleanup.pl.in   |  6 +++++-
dc8c34
 15 files changed, 106 insertions(+), 45 deletions(-)
dc8c34
dc8c34
diff --git a/ldap/admin/src/scripts/template-bak2db.pl.in b/ldap/admin/src/scripts/template-bak2db.pl.in
dc8c34
index 2f243ba..61cc510 100644
dc8c34
--- a/ldap/admin/src/scripts/template-bak2db.pl.in
dc8c34
+++ b/ldap/admin/src/scripts/template-bak2db.pl.in
dc8c34
@@ -39,6 +39,9 @@
dc8c34
 # END COPYRIGHT BLOCK
dc8c34
 #
dc8c34
 
dc8c34
+use lib qw(@perlpath@);
dc8c34
+use DSUtil qw(shellEscape);
dc8c34
+
dc8c34
 sub usage {
dc8c34
 	print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
dc8c34
 	print(STDERR "     :    -a dirname [-t dbtype]\n");
dc8c34
@@ -132,7 +135,8 @@ libpath_add("@nss_libdir@");
dc8c34
 libpath_add("/usr/lib");
dc8c34
 
dc8c34
 $ENV{'SHLIB_PATH'} = "$ENV{'LD_LIBRARY_PATH'}";
dc8c34
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
dc8c34
+$escaped = shellEscape($passwd);
dc8c34
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
dc8c34
 print(FOO "$entry");
dc8c34
 close(FOO);
dc8c34
 $retcode = $?>>8;
dc8c34
diff --git a/ldap/admin/src/scripts/template-cleanallruv.pl.in b/ldap/admin/src/scripts/template-cleanallruv.pl.in
dc8c34
index 437a3c0..6dfeec6 100644
dc8c34
--- a/ldap/admin/src/scripts/template-cleanallruv.pl.in
dc8c34
+++ b/ldap/admin/src/scripts/template-cleanallruv.pl.in
dc8c34
@@ -39,6 +39,9 @@
dc8c34
 # END COPYRIGHT BLOCK
dc8c34
 #
dc8c34
 
dc8c34
+use lib qw(@perlpath@);
dc8c34
+use DSUtil qw(shellEscape);
dc8c34
+
dc8c34
 sub usage {
dc8c34
     print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
dc8c34
     print(STDERR "        [-b basedn | -r rid | -A]\n");
dc8c34
@@ -168,7 +171,8 @@ $rid =    "replica-id: $rid\n";
dc8c34
 
dc8c34
 
dc8c34
 $entry = "${dn}${misc}${cn}${basedn}${rid}";
dc8c34
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
dc8c34
+$escaped = shellEscape($passwd);
dc8c34
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
dc8c34
 print(FOO "$entry");
dc8c34
 close(FOO);
dc8c34
 $retcode = $?>>8;
dc8c34
diff --git a/ldap/admin/src/scripts/template-db2bak.pl.in b/ldap/admin/src/scripts/template-db2bak.pl.in
dc8c34
index 329664f..6349f34 100644
dc8c34
--- a/ldap/admin/src/scripts/template-db2bak.pl.in
dc8c34
+++ b/ldap/admin/src/scripts/template-db2bak.pl.in
dc8c34
@@ -39,6 +39,9 @@
dc8c34
 # END COPYRIGHT BLOCK
dc8c34
 #
dc8c34
 
dc8c34
+use lib qw(@perlpath@);
dc8c34
+use DSUtil qw(shellEscape);
dc8c34
+
dc8c34
 sub usage {
dc8c34
 	print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
dc8c34
 	print(STDERR "          [-a dirname] [-t dbtype]\n");
dc8c34
@@ -122,7 +125,8 @@ libpath_add("/usr/lib");
dc8c34
 
dc8c34
 $ENV{'SHLIB_PATH'} = "$ENV{'LD_LIBRARY_PATH'}";
dc8c34
 print("Back up directory: $archivedir\n");
dc8c34
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
dc8c34
+$escaped = shellEscape($passwd);
dc8c34
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
dc8c34
 print(FOO "$entry");
dc8c34
 close(FOO);
dc8c34
 $retcode = $?>>8;
dc8c34
diff --git a/ldap/admin/src/scripts/template-db2index.pl.in b/ldap/admin/src/scripts/template-db2index.pl.in
dc8c34
index 39454c5..2423d36 100644
dc8c34
--- a/ldap/admin/src/scripts/template-db2index.pl.in
dc8c34
+++ b/ldap/admin/src/scripts/template-db2index.pl.in
dc8c34
@@ -39,6 +39,9 @@
dc8c34
 # END COPYRIGHT BLOCK
dc8c34
 #
dc8c34
 
dc8c34
+use lib qw(@perlpath@);
dc8c34
+use DSUtil qw(shellEscape);
dc8c34
+
dc8c34
 sub usage {
dc8c34
     print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
dc8c34
     print(STDERR "        -n instance [-t attributeName[:indextypes[:matchingrules]]]\n");
dc8c34
@@ -226,7 +229,8 @@ $cn =  "cn: $taskname\n";
dc8c34
 $nsinstance = "nsInstance: ${instance}\n";
dc8c34
 
dc8c34
 $entry = "${dn}${misc}${cn}${nsinstance}${attribute}${vlvattribute}";
dc8c34
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
dc8c34
+$escaped = shellEscape($passwd);
dc8c34
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
dc8c34
 print(FOO "$entry");
dc8c34
 close(FOO);
dc8c34
 $retcode = $?>>8;
dc8c34
diff --git a/ldap/admin/src/scripts/template-db2ldif.pl.in b/ldap/admin/src/scripts/template-db2ldif.pl.in
dc8c34
index febedd4..d1b1f39 100644
dc8c34
--- a/ldap/admin/src/scripts/template-db2ldif.pl.in
dc8c34
+++ b/ldap/admin/src/scripts/template-db2ldif.pl.in
dc8c34
@@ -39,6 +39,9 @@
dc8c34
 # END COPYRIGHT BLOCK
dc8c34
 #
dc8c34
 
dc8c34
+use lib qw(@perlpath@);
dc8c34
+use DSUtil qw(shellEscape);
dc8c34
+
dc8c34
 sub usage {
dc8c34
 	print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
dc8c34
 	print(STDERR "        {-n instance}* | {-s include}* [{-x exclude}*] \n");
dc8c34
@@ -266,7 +269,8 @@ libpath_add("/usr/lib");
dc8c34
 
dc8c34
 $ENV{'SHLIB_PATH'} = "$ENV{'LD_LIBRARY_PATH'}";
dc8c34
 print("Exporting to ldif file: ${ldiffile}\n");
dc8c34
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
dc8c34
+$escaped = shellEscape($passwd);
dc8c34
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
dc8c34
 print(FOO "$entry");
dc8c34
 close(FOO);
dc8c34
 $retcode = $?>>8;
dc8c34
diff --git a/ldap/admin/src/scripts/template-fixup-linkedattrs.pl.in b/ldap/admin/src/scripts/template-fixup-linkedattrs.pl.in
dc8c34
index 67f0b31..d9dd336 100644
dc8c34
--- a/ldap/admin/src/scripts/template-fixup-linkedattrs.pl.in
dc8c34
+++ b/ldap/admin/src/scripts/template-fixup-linkedattrs.pl.in
dc8c34
@@ -39,6 +39,9 @@
dc8c34
 # END COPYRIGHT BLOCK
dc8c34
 #
dc8c34
 
dc8c34
+use lib qw(@perlpath@);
dc8c34
+use DSUtil qw(shellEscape);
dc8c34
+
dc8c34
 sub usage {
dc8c34
     print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
dc8c34
     print(STDERR "        [-l linkDN]\n");
dc8c34
@@ -152,7 +155,8 @@ if ($linkdn_arg ne "")
dc8c34
 }
dc8c34
 
dc8c34
 $entry = "${dn}${misc}${cn}${basedn}${linkdn}";
dc8c34
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
dc8c34
+$escaped = shellEscape($passwd);
dc8c34
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
dc8c34
 print(FOO "$entry");
dc8c34
 close(FOO);
dc8c34
 $retcode = $?>>8;
dc8c34
diff --git a/ldap/admin/src/scripts/template-fixup-memberof.pl.in b/ldap/admin/src/scripts/template-fixup-memberof.pl.in
dc8c34
index 77a1528..f05def0 100644
dc8c34
--- a/ldap/admin/src/scripts/template-fixup-memberof.pl.in
dc8c34
+++ b/ldap/admin/src/scripts/template-fixup-memberof.pl.in
dc8c34
@@ -39,6 +39,9 @@
dc8c34
 # END COPYRIGHT BLOCK
dc8c34
 #
dc8c34
 
dc8c34
+use lib qw(@perlpath@);
dc8c34
+use DSUtil qw(shellEscape);
dc8c34
+
dc8c34
 sub usage {
dc8c34
     print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
dc8c34
     print(STDERR "        -b baseDN [-f filter]\n");
dc8c34
@@ -163,7 +166,8 @@ if ( $filter_arg ne "" )
dc8c34
 }
dc8c34
 
dc8c34
 $entry = "${dn}${misc}${cn}${basedn}${filter}";
dc8c34
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
dc8c34
+$escaped = shellEscape($passwd);
dc8c34
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
dc8c34
 print(FOO "$entry");
dc8c34
 close(FOO);
dc8c34
 $retcode = $?>>8;
dc8c34
diff --git a/ldap/admin/src/scripts/template-ldif2db.pl.in b/ldap/admin/src/scripts/template-ldif2db.pl.in
dc8c34
index 1cf83b4..5fff029 100644
dc8c34
--- a/ldap/admin/src/scripts/template-ldif2db.pl.in
dc8c34
+++ b/ldap/admin/src/scripts/template-ldif2db.pl.in
dc8c34
@@ -39,6 +39,9 @@
dc8c34
 # END COPYRIGHT BLOCK
dc8c34
 #
dc8c34
 
dc8c34
+use lib qw(@perlpath@);
dc8c34
+use DSUtil qw(shellEscape);
dc8c34
+
dc8c34
 sub usage {
dc8c34
 	print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
dc8c34
 	print(STDERR "        -n instance | {-s include}* [{-x exclude}*] [-O] [-c]\n");
dc8c34
@@ -224,7 +227,8 @@ libpath_add("@nss_libdir@");
dc8c34
 libpath_add("/usr/lib");
dc8c34
 
dc8c34
 $ENV{'SHLIB_PATH'} = "$ENV{'LD_LIBRARY_PATH'}";
dc8c34
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
dc8c34
+$escaped = shellEscape($passwd);
dc8c34
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
dc8c34
 print(FOO "$entry");
dc8c34
 close(FOO);
dc8c34
 $retcode = $?>>8;
dc8c34
diff --git a/ldap/admin/src/scripts/template-ns-accountstatus.pl.in b/ldap/admin/src/scripts/template-ns-accountstatus.pl.in
dc8c34
index 8e2e590..e97d1bc 100644
dc8c34
--- a/ldap/admin/src/scripts/template-ns-accountstatus.pl.in
dc8c34
+++ b/ldap/admin/src/scripts/template-ns-accountstatus.pl.in
dc8c34
@@ -43,6 +43,9 @@
dc8c34
 # SUB-ROUTINES
dc8c34
 ###############################
dc8c34
 
dc8c34
+use lib qw(@perlpath@);
dc8c34
+use DSUtil qw(shellEscape);
dc8c34
+
dc8c34
 sub usage_and_exit
dc8c34
 {
dc8c34
 	print (STDERR "$cmd [-D rootdn] { -w password | -w - | -j filename } \n");
dc8c34
@@ -110,7 +113,7 @@ sub indirectLock
dc8c34
 
dc8c34
 	my $L_local;
dc8c34
 
dc8c34
-`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `;
dc8c34
+`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `;
dc8c34
 $retCode=$?;
dc8c34
 if ( $retCode != 0 )
dc8c34
 {
dc8c34
@@ -119,13 +122,13 @@ if ( $retCode != 0 )
dc8c34
 }
dc8c34
 
dc8c34
 	# Check if the role is a nested role
dc8c34
-	@L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\"  ";
dc8c34
+	@L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\"  ";
dc8c34
 	# L_isNested == 1 means that we are going through a nested role, so for each member of that
dc8c34
 	# nested role, check that the member is below the scope of the nested
dc8c34
 	$L_isNested=@L_Nested;
dc8c34
 
dc8c34
 	# Not Direct Lock, Go through roles if any
dc8c34
-	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn ";
dc8c34
+	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn ";
dc8c34
 
dc8c34
 	debug("\t-->indirectLock: check if $L_entry is part of a locked role from base $L_base\n\n");
dc8c34
 
dc8c34
@@ -247,7 +250,7 @@ sub memberOf
dc8c34
 	my $L_search;
dc8c34
 	my $L_currentrole;
dc8c34
 
dc8c34
-	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole";
dc8c34
+	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole";
dc8c34
 
dc8c34
 	debug("\t\t-->memberOf: $L_search: check if $L_entry has $L_nsroledn as nsroledn attribute\n");
dc8c34
 
dc8c34
@@ -412,6 +415,7 @@ $defport= "{{SERVER-PORT}}";
dc8c34
 # User values
dc8c34
 $rootdn= "{{ROOT-DN}}";
dc8c34
 $rootpw= "";
dc8c34
+$escaped= "";
dc8c34
 $pwfile= "";
dc8c34
 $host= "{{SERVER-NAME}}";
dc8c34
 $port= "{{SERVER-PORT}}";
dc8c34
@@ -489,11 +493,12 @@ if( $entry eq "" )
dc8c34
 	usage_and_exit();
dc8c34
 }
dc8c34
 
dc8c34
+$escaped = shellEscape($rootpw);
dc8c34
 #
dc8c34
 # Check the actual existence of the entry to inactivate/activate
dc8c34
 # and at the same time, validate the various parm: port, host, rootdn, rootpw
dc8c34
 #
dc8c34
-@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" dn`;
dc8c34
+@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" dn`;
dc8c34
 $retCode1=$?;
dc8c34
 if ( $retCode1 != 0 )
dc8c34
 {
dc8c34
@@ -501,7 +506,7 @@ if ( $retCode1 != 0 )
dc8c34
 	exit $retCode1;
dc8c34
 }
dc8c34
 
dc8c34
-@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`;
dc8c34
+@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`;
dc8c34
 $nbLineRole=@isRole;
dc8c34
 $retCode2=$?;
dc8c34
 if ( $retCode2 != 0 )
dc8c34
@@ -527,7 +532,7 @@ else
dc8c34
 $isLocked=0;
dc8c34
 if ( $single == 1 )
dc8c34
 {
dc8c34
-	$searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock";
dc8c34
+	$searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock";
dc8c34
 	open (LDAP1, "$searchAccountLock |");
dc8c34
 	while (<LDAP1>) {
dc8c34
 		s/\n //g;
dc8c34
@@ -575,7 +580,7 @@ while ($cont == 0)
dc8c34
 	#	ldapsearch -s one -b "cn=mapping tree,cn=config" "cn=\"uid=jvedder,ou=People,o=sun.com\""
dc8c34
 	#
dc8c34
 	debug("\tSuffix from the entry: #@suffixN#\n");
dc8c34
-	@mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `;
dc8c34
+	@mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `;
dc8c34
 
dc8c34
 	$retCode=$?;
dc8c34
 	if ( $retCode != 0 )
dc8c34
@@ -649,7 +654,7 @@ if ( $operation eq "inactivate" )
dc8c34
 		"\'cn=\"cn=nsDisabledRole,@suffixN\",cn=nsAccountInactivationTmp,@suffixN\'",
dc8c34
 		"cn=nsAccountInactivation_cos,@suffixN" );
dc8c34
 
dc8c34
-	$addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c -a >> {{DEV-NULL}} 2>&1 ";
dc8c34
+	$addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c -a >> {{DEV-NULL}} 2>&1 ";
dc8c34
 	@role1=(
dc8c34
 		"dn: cn=nsManagedDisabledRole,@suffixN\n",
dc8c34
 		"objectclass: LDAPsubentry\n",
dc8c34
@@ -818,7 +823,7 @@ elsif ( $operation eq "activate" || $operation eq "get status of" )
dc8c34
 #
dc8c34
 # Inactivate/activate the entry
dc8c34
 #
dc8c34
-$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c >> {{DEV-NULL}} 2>&1;;
dc8c34
+$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c >> {{DEV-NULL}} 2>&1;;
dc8c34
 if ( $single == 1 )
dc8c34
 {
dc8c34
 	@record=(
dc8c34
diff --git a/ldap/admin/src/scripts/template-ns-activate.pl.in b/ldap/admin/src/scripts/template-ns-activate.pl.in
dc8c34
index 8e2e590..3cc53e9 100644
dc8c34
--- a/ldap/admin/src/scripts/template-ns-activate.pl.in
dc8c34
+++ b/ldap/admin/src/scripts/template-ns-activate.pl.in
dc8c34
@@ -43,6 +43,9 @@
dc8c34
 # SUB-ROUTINES
dc8c34
 ###############################
dc8c34
 
dc8c34
+use lib qw(@perlpath@);
dc8c34
+use DSUtil qw(shellEscape);
dc8c34
+
dc8c34
 sub usage_and_exit
dc8c34
 {
dc8c34
 	print (STDERR "$cmd [-D rootdn] { -w password | -w - | -j filename } \n");
dc8c34
@@ -110,7 +113,7 @@ sub indirectLock
dc8c34
 
dc8c34
 	my $L_local;
dc8c34
 
dc8c34
-`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `;
dc8c34
+`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `;
dc8c34
 $retCode=$?;
dc8c34
 if ( $retCode != 0 )
dc8c34
 {
dc8c34
@@ -119,13 +122,13 @@ if ( $retCode != 0 )
dc8c34
 }
dc8c34
 
dc8c34
 	# Check if the role is a nested role
dc8c34
-	@L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\"  ";
dc8c34
+	@L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\"  ";
dc8c34
 	# L_isNested == 1 means that we are going through a nested role, so for each member of that
dc8c34
 	# nested role, check that the member is below the scope of the nested
dc8c34
 	$L_isNested=@L_Nested;
dc8c34
 
dc8c34
 	# Not Direct Lock, Go through roles if any
dc8c34
-	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn ";
dc8c34
+	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn ";
dc8c34
 
dc8c34
 	debug("\t-->indirectLock: check if $L_entry is part of a locked role from base $L_base\n\n");
dc8c34
 
dc8c34
@@ -247,7 +250,7 @@ sub memberOf
dc8c34
 	my $L_search;
dc8c34
 	my $L_currentrole;
dc8c34
 
dc8c34
-	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole";
dc8c34
+	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole";
dc8c34
 
dc8c34
 	debug("\t\t-->memberOf: $L_search: check if $L_entry has $L_nsroledn as nsroledn attribute\n");
dc8c34
 
dc8c34
@@ -412,6 +415,7 @@ $defport= "{{SERVER-PORT}}";
dc8c34
 # User values
dc8c34
 $rootdn= "{{ROOT-DN}}";
dc8c34
 $rootpw= "";
dc8c34
+$escaped= "";
dc8c34
 $pwfile= "";
dc8c34
 $host= "{{SERVER-NAME}}";
dc8c34
 $port= "{{SERVER-PORT}}";
dc8c34
@@ -493,7 +497,8 @@ if( $entry eq "" )
dc8c34
 # Check the actual existence of the entry to inactivate/activate
dc8c34
 # and at the same time, validate the various parm: port, host, rootdn, rootpw
dc8c34
 #
dc8c34
-@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" dn`;
dc8c34
+$escaped = shellEscape($rootpw);
dc8c34
+@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" dn`;
dc8c34
 $retCode1=$?;
dc8c34
 if ( $retCode1 != 0 )
dc8c34
 {
dc8c34
@@ -501,7 +506,7 @@ if ( $retCode1 != 0 )
dc8c34
 	exit $retCode1;
dc8c34
 }
dc8c34
 
dc8c34
-@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`;
dc8c34
+@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`;
dc8c34
 $nbLineRole=@isRole;
dc8c34
 $retCode2=$?;
dc8c34
 if ( $retCode2 != 0 )
dc8c34
@@ -527,7 +532,7 @@ else
dc8c34
 $isLocked=0;
dc8c34
 if ( $single == 1 )
dc8c34
 {
dc8c34
-	$searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock";
dc8c34
+	$searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock";
dc8c34
 	open (LDAP1, "$searchAccountLock |");
dc8c34
 	while (<LDAP1>) {
dc8c34
 		s/\n //g;
dc8c34
@@ -575,7 +580,7 @@ while ($cont == 0)
dc8c34
 	#	ldapsearch -s one -b "cn=mapping tree,cn=config" "cn=\"uid=jvedder,ou=People,o=sun.com\""
dc8c34
 	#
dc8c34
 	debug("\tSuffix from the entry: #@suffixN#\n");
dc8c34
-	@mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `;
dc8c34
+	@mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `;
dc8c34
 
dc8c34
 	$retCode=$?;
dc8c34
 	if ( $retCode != 0 )
dc8c34
@@ -649,7 +654,7 @@ if ( $operation eq "inactivate" )
dc8c34
 		"\'cn=\"cn=nsDisabledRole,@suffixN\",cn=nsAccountInactivationTmp,@suffixN\'",
dc8c34
 		"cn=nsAccountInactivation_cos,@suffixN" );
dc8c34
 
dc8c34
-	$addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c -a >> {{DEV-NULL}} 2>&1 ";
dc8c34
+	$addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c -a >> {{DEV-NULL}} 2>&1 ";
dc8c34
 	@role1=(
dc8c34
 		"dn: cn=nsManagedDisabledRole,@suffixN\n",
dc8c34
 		"objectclass: LDAPsubentry\n",
dc8c34
@@ -818,7 +823,7 @@ elsif ( $operation eq "activate" || $operation eq "get status of" )
dc8c34
 #
dc8c34
 # Inactivate/activate the entry
dc8c34
 #
dc8c34
-$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c >> {{DEV-NULL}} 2>&1;;
dc8c34
+$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c >> {{DEV-NULL}} 2>&1;;
dc8c34
 if ( $single == 1 )
dc8c34
 {
dc8c34
 	@record=(
dc8c34
diff --git a/ldap/admin/src/scripts/template-ns-inactivate.pl.in b/ldap/admin/src/scripts/template-ns-inactivate.pl.in
dc8c34
index 8e2e590..3cc53e9 100644
dc8c34
--- a/ldap/admin/src/scripts/template-ns-inactivate.pl.in
dc8c34
+++ b/ldap/admin/src/scripts/template-ns-inactivate.pl.in
dc8c34
@@ -43,6 +43,9 @@
dc8c34
 # SUB-ROUTINES
dc8c34
 ###############################
dc8c34
 
dc8c34
+use lib qw(@perlpath@);
dc8c34
+use DSUtil qw(shellEscape);
dc8c34
+
dc8c34
 sub usage_and_exit
dc8c34
 {
dc8c34
 	print (STDERR "$cmd [-D rootdn] { -w password | -w - | -j filename } \n");
dc8c34
@@ -110,7 +113,7 @@ sub indirectLock
dc8c34
 
dc8c34
 	my $L_local;
dc8c34
 
dc8c34
-`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `;
dc8c34
+`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `;
dc8c34
 $retCode=$?;
dc8c34
 if ( $retCode != 0 )
dc8c34
 {
dc8c34
@@ -119,13 +122,13 @@ if ( $retCode != 0 )
dc8c34
 }
dc8c34
 
dc8c34
 	# Check if the role is a nested role
dc8c34
-	@L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\"  ";
dc8c34
+	@L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\"  ";
dc8c34
 	# L_isNested == 1 means that we are going through a nested role, so for each member of that
dc8c34
 	# nested role, check that the member is below the scope of the nested
dc8c34
 	$L_isNested=@L_Nested;
dc8c34
 
dc8c34
 	# Not Direct Lock, Go through roles if any
dc8c34
-	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn ";
dc8c34
+	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn ";
dc8c34
 
dc8c34
 	debug("\t-->indirectLock: check if $L_entry is part of a locked role from base $L_base\n\n");
dc8c34
 
dc8c34
@@ -247,7 +250,7 @@ sub memberOf
dc8c34
 	my $L_search;
dc8c34
 	my $L_currentrole;
dc8c34
 
dc8c34
-	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole";
dc8c34
+	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole";
dc8c34
 
dc8c34
 	debug("\t\t-->memberOf: $L_search: check if $L_entry has $L_nsroledn as nsroledn attribute\n");
dc8c34
 
dc8c34
@@ -412,6 +415,7 @@ $defport= "{{SERVER-PORT}}";
dc8c34
 # User values
dc8c34
 $rootdn= "{{ROOT-DN}}";
dc8c34
 $rootpw= "";
dc8c34
+$escaped= "";
dc8c34
 $pwfile= "";
dc8c34
 $host= "{{SERVER-NAME}}";
dc8c34
 $port= "{{SERVER-PORT}}";
dc8c34
@@ -493,7 +497,8 @@ if( $entry eq "" )
dc8c34
 # Check the actual existence of the entry to inactivate/activate
dc8c34
 # and at the same time, validate the various parm: port, host, rootdn, rootpw
dc8c34
 #
dc8c34
-@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" dn`;
dc8c34
+$escaped = shellEscape($rootpw);
dc8c34
+@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" dn`;
dc8c34
 $retCode1=$?;
dc8c34
 if ( $retCode1 != 0 )
dc8c34
 {
dc8c34
@@ -501,7 +506,7 @@ if ( $retCode1 != 0 )
dc8c34
 	exit $retCode1;
dc8c34
 }
dc8c34
 
dc8c34
-@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`;
dc8c34
+@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`;
dc8c34
 $nbLineRole=@isRole;
dc8c34
 $retCode2=$?;
dc8c34
 if ( $retCode2 != 0 )
dc8c34
@@ -527,7 +532,7 @@ else
dc8c34
 $isLocked=0;
dc8c34
 if ( $single == 1 )
dc8c34
 {
dc8c34
-	$searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock";
dc8c34
+	$searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock";
dc8c34
 	open (LDAP1, "$searchAccountLock |");
dc8c34
 	while (<LDAP1>) {
dc8c34
 		s/\n //g;
dc8c34
@@ -575,7 +580,7 @@ while ($cont == 0)
dc8c34
 	#	ldapsearch -s one -b "cn=mapping tree,cn=config" "cn=\"uid=jvedder,ou=People,o=sun.com\""
dc8c34
 	#
dc8c34
 	debug("\tSuffix from the entry: #@suffixN#\n");
dc8c34
-	@mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `;
dc8c34
+	@mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `;
dc8c34
 
dc8c34
 	$retCode=$?;
dc8c34
 	if ( $retCode != 0 )
dc8c34
@@ -649,7 +654,7 @@ if ( $operation eq "inactivate" )
dc8c34
 		"\'cn=\"cn=nsDisabledRole,@suffixN\",cn=nsAccountInactivationTmp,@suffixN\'",
dc8c34
 		"cn=nsAccountInactivation_cos,@suffixN" );
dc8c34
 
dc8c34
-	$addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c -a >> {{DEV-NULL}} 2>&1 ";
dc8c34
+	$addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c -a >> {{DEV-NULL}} 2>&1 ";
dc8c34
 	@role1=(
dc8c34
 		"dn: cn=nsManagedDisabledRole,@suffixN\n",
dc8c34
 		"objectclass: LDAPsubentry\n",
dc8c34
@@ -818,7 +823,7 @@ elsif ( $operation eq "activate" || $operation eq "get status of" )
dc8c34
 #
dc8c34
 # Inactivate/activate the entry
dc8c34
 #
dc8c34
-$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c >> {{DEV-NULL}} 2>&1;;
dc8c34
+$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c >> {{DEV-NULL}} 2>&1;;
dc8c34
 if ( $single == 1 )
dc8c34
 {
dc8c34
 	@record=(
dc8c34
diff --git a/ldap/admin/src/scripts/template-ns-newpwpolicy.pl.in b/ldap/admin/src/scripts/template-ns-newpwpolicy.pl.in
dc8c34
index bd9b238..a41c342 100755
dc8c34
--- a/ldap/admin/src/scripts/template-ns-newpwpolicy.pl.in
dc8c34
+++ b/ldap/admin/src/scripts/template-ns-newpwpolicy.pl.in
dc8c34
@@ -40,6 +40,7 @@
dc8c34
 #
dc8c34
 
dc8c34
 use lib qw(@perlpath@);
dc8c34
+use DSUtil qw(shellEscape);
dc8c34
 
dc8c34
 # enable the use of our bundled perldap with our bundled ldapsdk libraries
dc8c34
 # all of this nonsense can be omitted if the mozldapsdk and perldap are
dc8c34
@@ -112,6 +113,7 @@ sub usage {
dc8c34
 		print (STDERR "Please provide at least -S or -U option.\n\n");
dc8c34
 	}
dc8c34
 
dc8c34
+	$escaped = shellEscape($opt_w);
dc8c34
 	# Now, check if the user/group exists
dc8c34
 
dc8c34
 	if ($opt_S) {
dc8c34
@@ -126,8 +128,8 @@ sub usage {
dc8c34
 			"cn=nsPwPolicy_cos,$opt_S"
dc8c34
 		);
dc8c34
 
dc8c34
-		$ldapadd="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w \"$opt_w\" -c -a 2>&1;;
dc8c34
-		$modifyCfg="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w \"$opt_w\" -c 2>&1;;
dc8c34
+		$ldapadd="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w $escaped -c -a 2>&1;;
dc8c34
+		$modifyCfg="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w $escaped -c 2>&1;;
dc8c34
 
dc8c34
 		@container=(
dc8c34
 			"dn: cn=nsPwPolicyContainer,$opt_S\n",
dc8c34
@@ -223,8 +225,8 @@ sub usage {
dc8c34
 			"cn=cn\\=nsPwPolicyEntry\\,$esc_opt_U,cn=nsPwPolicyContainer,$parentDN"
dc8c34
 		);
dc8c34
 
dc8c34
-		$ldapadd="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w \"$opt_w\" -c -a 2>&1;;
dc8c34
-		$modifyCfg="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w \"$opt_w\" -c 2>&1;;
dc8c34
+		$ldapadd="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w $escaped -c -a 2>&1;;
dc8c34
+		$modifyCfg="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w $escaped -c 2>&1;;
dc8c34
 
dc8c34
 		@container=(
dc8c34
 			"dn: cn=nsPwPolicyContainer,$parentDN\n",
dc8c34
diff --git a/ldap/admin/src/scripts/template-schema-reload.pl.in b/ldap/admin/src/scripts/template-schema-reload.pl.in
dc8c34
index 6b64b5e..96cc48d 100644
dc8c34
--- a/ldap/admin/src/scripts/template-schema-reload.pl.in
dc8c34
+++ b/ldap/admin/src/scripts/template-schema-reload.pl.in
dc8c34
@@ -39,6 +39,9 @@
dc8c34
 # END COPYRIGHT BLOCK
dc8c34
 #
dc8c34
 
dc8c34
+use lib qw(@perlpath@);
dc8c34
+use DSUtil qw(shellEscape);
dc8c34
+
dc8c34
 sub usage {
dc8c34
     print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
dc8c34
     print(STDERR "        [-d schemadir]\n");
dc8c34
@@ -152,7 +155,8 @@ if ( $schemadir_arg ne "" )
dc8c34
 }
dc8c34
 
dc8c34
 $entry = "${dn}${misc}${cn}${basedn}${schemadir}";
dc8c34
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
dc8c34
+$escaped = shellEscape($passwd);
dc8c34
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
dc8c34
 print(FOO "$entry");
dc8c34
 close(FOO);
dc8c34
 $retcode = $?>>8;
dc8c34
diff --git a/ldap/admin/src/scripts/template-syntax-validate.pl.in b/ldap/admin/src/scripts/template-syntax-validate.pl.in
dc8c34
index b40ef69..6008a2d 100644
dc8c34
--- a/ldap/admin/src/scripts/template-syntax-validate.pl.in
dc8c34
+++ b/ldap/admin/src/scripts/template-syntax-validate.pl.in
dc8c34
@@ -39,6 +39,9 @@
dc8c34
 # END COPYRIGHT BLOCK
dc8c34
 #
dc8c34
 
dc8c34
+use lib qw(@perlpath@);
dc8c34
+use DSUtil qw(shellEscape);
dc8c34
+
dc8c34
 sub usage {
dc8c34
     print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
dc8c34
     print(STDERR "        -b baseDN [-f filter]\n");
dc8c34
@@ -163,7 +166,8 @@ if ( $filter_arg ne "" )
dc8c34
 }
dc8c34
 
dc8c34
 $entry = "${dn}${misc}${cn}${basedn}${filter}";
dc8c34
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
dc8c34
+$escaped = shellEscape($passwd);
dc8c34
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
dc8c34
 print(FOO "$entry");
dc8c34
 close(FOO);
dc8c34
 $retcode = $?>>8;
dc8c34
diff --git a/ldap/admin/src/scripts/template-usn-tombstone-cleanup.pl.in b/ldap/admin/src/scripts/template-usn-tombstone-cleanup.pl.in
dc8c34
index 92c106d..928ccc9 100644
dc8c34
--- a/ldap/admin/src/scripts/template-usn-tombstone-cleanup.pl.in
dc8c34
+++ b/ldap/admin/src/scripts/template-usn-tombstone-cleanup.pl.in
dc8c34
@@ -38,6 +38,9 @@
dc8c34
 # END COPYRIGHT BLOCK
dc8c34
 #
dc8c34
 
dc8c34
+use lib qw(@perlpath@);
dc8c34
+use DSUtil qw(shellEscape);
dc8c34
+
dc8c34
 sub usage {
dc8c34
     print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } -s suffix | -n backend [ -m maxusn_to_delete ]\n");
dc8c34
     print(STDERR " Opts: -D rootdn           - Directory Manager\n");
dc8c34
@@ -180,7 +183,8 @@ if ( $maxusn_arg ne "" )
dc8c34
 }
dc8c34
 
dc8c34
 $entry = "${dn}${misc}${cn}${basedn}${args}";
dc8c34
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
dc8c34
+$escaped = shellEscape($passwd);
dc8c34
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
dc8c34
 print(FOO "$entry");
dc8c34
 close(FOO);
dc8c34
 $retcode = $?>>8;
dc8c34
-- 
dc8c34
1.9.3
dc8c34