From cfb84033a5bb0748718d9e303a64591475ff1f2d Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Thu, 16 Apr 2015 16:10:49 -0700
Subject: [PATCH 315/319] Ticket #48143 - Password is not correctly passed to
perl command line tools if it contains shell special characters.
Description: If a password contains shell special characters such as '$', '!',
'"', or ''', they were evaluated before passing to the core programs, e.g.,
ns-slapd for import and export or ldapmodify for tasks.
This patch escapes the special characters using shellEscape subroutine
in DSUtil.pm.
Example:
Directory Manager Password: pas$w!or'd"
$ ./db2ldif.pl -n userRoot -D 'cn=directory manager' -w pas\$w\!or\'d\"
Successfully added task entry "cn=export_2015_4_7_15_17_16,cn=export,cn=tasks,cn=config"
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
https://fedorahosted.org/389/ticket/48143
(cherry picked from commit 68b1039769e8fd8d3ee39bcac8f57f7f3d37ee1a)
---
ldap/admin/src/scripts/template-bak2db.pl.in | 6 +++++-
ldap/admin/src/scripts/template-cleanallruv.pl.in | 6 +++++-
ldap/admin/src/scripts/template-db2bak.pl.in | 6 +++++-
ldap/admin/src/scripts/template-db2index.pl.in | 6 +++++-
ldap/admin/src/scripts/template-db2ldif.pl.in | 6 +++++-
.../src/scripts/template-fixup-linkedattrs.pl.in | 6 +++++-
.../src/scripts/template-fixup-memberof.pl.in | 6 +++++-
ldap/admin/src/scripts/template-ldif2db.pl.in | 6 +++++-
.../src/scripts/template-ns-accountstatus.pl.in | 25 +++++++++++++---------
ldap/admin/src/scripts/template-ns-activate.pl.in | 25 +++++++++++++---------
.../admin/src/scripts/template-ns-inactivate.pl.in | 25 +++++++++++++---------
.../src/scripts/template-ns-newpwpolicy.pl.in | 10 +++++----
.../admin/src/scripts/template-schema-reload.pl.in | 6 +++++-
.../src/scripts/template-syntax-validate.pl.in | 6 +++++-
.../scripts/template-usn-tombstone-cleanup.pl.in | 6 +++++-
15 files changed, 106 insertions(+), 45 deletions(-)
diff --git a/ldap/admin/src/scripts/template-bak2db.pl.in b/ldap/admin/src/scripts/template-bak2db.pl.in
index 2f243ba..61cc510 100644
--- a/ldap/admin/src/scripts/template-bak2db.pl.in
+++ b/ldap/admin/src/scripts/template-bak2db.pl.in
@@ -39,6 +39,9 @@
# END COPYRIGHT BLOCK
#
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
sub usage {
print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
print(STDERR " : -a dirname [-t dbtype]\n");
@@ -132,7 +135,8 @@ libpath_add("@nss_libdir@");
libpath_add("/usr/lib");
$ENV{'SHLIB_PATH'} = "$ENV{'LD_LIBRARY_PATH'}";
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
+$escaped = shellEscape($passwd);
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
print(FOO "$entry");
close(FOO);
$retcode = $?>>8;
diff --git a/ldap/admin/src/scripts/template-cleanallruv.pl.in b/ldap/admin/src/scripts/template-cleanallruv.pl.in
index 437a3c0..6dfeec6 100644
--- a/ldap/admin/src/scripts/template-cleanallruv.pl.in
+++ b/ldap/admin/src/scripts/template-cleanallruv.pl.in
@@ -39,6 +39,9 @@
# END COPYRIGHT BLOCK
#
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
sub usage {
print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
print(STDERR " [-b basedn | -r rid | -A]\n");
@@ -168,7 +171,8 @@ $rid = "replica-id: $rid\n";
$entry = "${dn}${misc}${cn}${basedn}${rid}";
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
+$escaped = shellEscape($passwd);
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
print(FOO "$entry");
close(FOO);
$retcode = $?>>8;
diff --git a/ldap/admin/src/scripts/template-db2bak.pl.in b/ldap/admin/src/scripts/template-db2bak.pl.in
index 329664f..6349f34 100644
--- a/ldap/admin/src/scripts/template-db2bak.pl.in
+++ b/ldap/admin/src/scripts/template-db2bak.pl.in
@@ -39,6 +39,9 @@
# END COPYRIGHT BLOCK
#
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
sub usage {
print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
print(STDERR " [-a dirname] [-t dbtype]\n");
@@ -122,7 +125,8 @@ libpath_add("/usr/lib");
$ENV{'SHLIB_PATH'} = "$ENV{'LD_LIBRARY_PATH'}";
print("Back up directory: $archivedir\n");
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
+$escaped = shellEscape($passwd);
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
print(FOO "$entry");
close(FOO);
$retcode = $?>>8;
diff --git a/ldap/admin/src/scripts/template-db2index.pl.in b/ldap/admin/src/scripts/template-db2index.pl.in
index 39454c5..2423d36 100644
--- a/ldap/admin/src/scripts/template-db2index.pl.in
+++ b/ldap/admin/src/scripts/template-db2index.pl.in
@@ -39,6 +39,9 @@
# END COPYRIGHT BLOCK
#
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
sub usage {
print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
print(STDERR " -n instance [-t attributeName[:indextypes[:matchingrules]]]\n");
@@ -226,7 +229,8 @@ $cn = "cn: $taskname\n";
$nsinstance = "nsInstance: ${instance}\n";
$entry = "${dn}${misc}${cn}${nsinstance}${attribute}${vlvattribute}";
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
+$escaped = shellEscape($passwd);
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
print(FOO "$entry");
close(FOO);
$retcode = $?>>8;
diff --git a/ldap/admin/src/scripts/template-db2ldif.pl.in b/ldap/admin/src/scripts/template-db2ldif.pl.in
index febedd4..d1b1f39 100644
--- a/ldap/admin/src/scripts/template-db2ldif.pl.in
+++ b/ldap/admin/src/scripts/template-db2ldif.pl.in
@@ -39,6 +39,9 @@
# END COPYRIGHT BLOCK
#
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
sub usage {
print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
print(STDERR " {-n instance}* | {-s include}* [{-x exclude}*] \n");
@@ -266,7 +269,8 @@ libpath_add("/usr/lib");
$ENV{'SHLIB_PATH'} = "$ENV{'LD_LIBRARY_PATH'}";
print("Exporting to ldif file: ${ldiffile}\n");
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
+$escaped = shellEscape($passwd);
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
print(FOO "$entry");
close(FOO);
$retcode = $?>>8;
diff --git a/ldap/admin/src/scripts/template-fixup-linkedattrs.pl.in b/ldap/admin/src/scripts/template-fixup-linkedattrs.pl.in
index 67f0b31..d9dd336 100644
--- a/ldap/admin/src/scripts/template-fixup-linkedattrs.pl.in
+++ b/ldap/admin/src/scripts/template-fixup-linkedattrs.pl.in
@@ -39,6 +39,9 @@
# END COPYRIGHT BLOCK
#
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
sub usage {
print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
print(STDERR " [-l linkDN]\n");
@@ -152,7 +155,8 @@ if ($linkdn_arg ne "")
}
$entry = "${dn}${misc}${cn}${basedn}${linkdn}";
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
+$escaped = shellEscape($passwd);
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
print(FOO "$entry");
close(FOO);
$retcode = $?>>8;
diff --git a/ldap/admin/src/scripts/template-fixup-memberof.pl.in b/ldap/admin/src/scripts/template-fixup-memberof.pl.in
index 77a1528..f05def0 100644
--- a/ldap/admin/src/scripts/template-fixup-memberof.pl.in
+++ b/ldap/admin/src/scripts/template-fixup-memberof.pl.in
@@ -39,6 +39,9 @@
# END COPYRIGHT BLOCK
#
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
sub usage {
print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
print(STDERR " -b baseDN [-f filter]\n");
@@ -163,7 +166,8 @@ if ( $filter_arg ne "" )
}
$entry = "${dn}${misc}${cn}${basedn}${filter}";
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
+$escaped = shellEscape($passwd);
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
print(FOO "$entry");
close(FOO);
$retcode = $?>>8;
diff --git a/ldap/admin/src/scripts/template-ldif2db.pl.in b/ldap/admin/src/scripts/template-ldif2db.pl.in
index 1cf83b4..5fff029 100644
--- a/ldap/admin/src/scripts/template-ldif2db.pl.in
+++ b/ldap/admin/src/scripts/template-ldif2db.pl.in
@@ -39,6 +39,9 @@
# END COPYRIGHT BLOCK
#
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
sub usage {
print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
print(STDERR " -n instance | {-s include}* [{-x exclude}*] [-O] [-c]\n");
@@ -224,7 +227,8 @@ libpath_add("@nss_libdir@");
libpath_add("/usr/lib");
$ENV{'SHLIB_PATH'} = "$ENV{'LD_LIBRARY_PATH'}";
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
+$escaped = shellEscape($passwd);
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
print(FOO "$entry");
close(FOO);
$retcode = $?>>8;
diff --git a/ldap/admin/src/scripts/template-ns-accountstatus.pl.in b/ldap/admin/src/scripts/template-ns-accountstatus.pl.in
index 8e2e590..e97d1bc 100644
--- a/ldap/admin/src/scripts/template-ns-accountstatus.pl.in
+++ b/ldap/admin/src/scripts/template-ns-accountstatus.pl.in
@@ -43,6 +43,9 @@
# SUB-ROUTINES
###############################
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
sub usage_and_exit
{
print (STDERR "$cmd [-D rootdn] { -w password | -w - | -j filename } \n");
@@ -110,7 +113,7 @@ sub indirectLock
my $L_local;
-`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `;
+`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `;
$retCode=$?;
if ( $retCode != 0 )
{
@@ -119,13 +122,13 @@ if ( $retCode != 0 )
}
# Check if the role is a nested role
- @L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\" ";
+ @L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\" ";
# L_isNested == 1 means that we are going through a nested role, so for each member of that
# nested role, check that the member is below the scope of the nested
$L_isNested=@L_Nested;
# Not Direct Lock, Go through roles if any
- $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn ";
+ $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn ";
debug("\t-->indirectLock: check if $L_entry is part of a locked role from base $L_base\n\n");
@@ -247,7 +250,7 @@ sub memberOf
my $L_search;
my $L_currentrole;
- $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole";
+ $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole";
debug("\t\t-->memberOf: $L_search: check if $L_entry has $L_nsroledn as nsroledn attribute\n");
@@ -412,6 +415,7 @@ $defport= "{{SERVER-PORT}}";
# User values
$rootdn= "{{ROOT-DN}}";
$rootpw= "";
+$escaped= "";
$pwfile= "";
$host= "{{SERVER-NAME}}";
$port= "{{SERVER-PORT}}";
@@ -489,11 +493,12 @@ if( $entry eq "" )
usage_and_exit();
}
+$escaped = shellEscape($rootpw);
#
# Check the actual existence of the entry to inactivate/activate
# and at the same time, validate the various parm: port, host, rootdn, rootpw
#
-@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" dn`;
+@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" dn`;
$retCode1=$?;
if ( $retCode1 != 0 )
{
@@ -501,7 +506,7 @@ if ( $retCode1 != 0 )
exit $retCode1;
}
-@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`;
+@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`;
$nbLineRole=@isRole;
$retCode2=$?;
if ( $retCode2 != 0 )
@@ -527,7 +532,7 @@ else
$isLocked=0;
if ( $single == 1 )
{
- $searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock";
+ $searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock";
open (LDAP1, "$searchAccountLock |");
while (<LDAP1>) {
s/\n //g;
@@ -575,7 +580,7 @@ while ($cont == 0)
# ldapsearch -s one -b "cn=mapping tree,cn=config" "cn=\"uid=jvedder,ou=People,o=sun.com\""
#
debug("\tSuffix from the entry: #@suffixN#\n");
- @mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `;
+ @mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `;
$retCode=$?;
if ( $retCode != 0 )
@@ -649,7 +654,7 @@ if ( $operation eq "inactivate" )
"\'cn=\"cn=nsDisabledRole,@suffixN\",cn=nsAccountInactivationTmp,@suffixN\'",
"cn=nsAccountInactivation_cos,@suffixN" );
- $addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c -a >> {{DEV-NULL}} 2>&1 ";
+ $addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c -a >> {{DEV-NULL}} 2>&1 ";
@role1=(
"dn: cn=nsManagedDisabledRole,@suffixN\n",
"objectclass: LDAPsubentry\n",
@@ -818,7 +823,7 @@ elsif ( $operation eq "activate" || $operation eq "get status of" )
#
# Inactivate/activate the entry
#
-$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c >> {{DEV-NULL}} 2>&1";
+$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c >> {{DEV-NULL}} 2>&1";
if ( $single == 1 )
{
@record=(
diff --git a/ldap/admin/src/scripts/template-ns-activate.pl.in b/ldap/admin/src/scripts/template-ns-activate.pl.in
index 8e2e590..3cc53e9 100644
--- a/ldap/admin/src/scripts/template-ns-activate.pl.in
+++ b/ldap/admin/src/scripts/template-ns-activate.pl.in
@@ -43,6 +43,9 @@
# SUB-ROUTINES
###############################
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
sub usage_and_exit
{
print (STDERR "$cmd [-D rootdn] { -w password | -w - | -j filename } \n");
@@ -110,7 +113,7 @@ sub indirectLock
my $L_local;
-`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `;
+`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `;
$retCode=$?;
if ( $retCode != 0 )
{
@@ -119,13 +122,13 @@ if ( $retCode != 0 )
}
# Check if the role is a nested role
- @L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\" ";
+ @L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\" ";
# L_isNested == 1 means that we are going through a nested role, so for each member of that
# nested role, check that the member is below the scope of the nested
$L_isNested=@L_Nested;
# Not Direct Lock, Go through roles if any
- $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn ";
+ $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn ";
debug("\t-->indirectLock: check if $L_entry is part of a locked role from base $L_base\n\n");
@@ -247,7 +250,7 @@ sub memberOf
my $L_search;
my $L_currentrole;
- $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole";
+ $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole";
debug("\t\t-->memberOf: $L_search: check if $L_entry has $L_nsroledn as nsroledn attribute\n");
@@ -412,6 +415,7 @@ $defport= "{{SERVER-PORT}}";
# User values
$rootdn= "{{ROOT-DN}}";
$rootpw= "";
+$escaped= "";
$pwfile= "";
$host= "{{SERVER-NAME}}";
$port= "{{SERVER-PORT}}";
@@ -493,7 +497,8 @@ if( $entry eq "" )
# Check the actual existence of the entry to inactivate/activate
# and at the same time, validate the various parm: port, host, rootdn, rootpw
#
-@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" dn`;
+$escaped = shellEscape($rootpw);
+@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" dn`;
$retCode1=$?;
if ( $retCode1 != 0 )
{
@@ -501,7 +506,7 @@ if ( $retCode1 != 0 )
exit $retCode1;
}
-@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`;
+@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`;
$nbLineRole=@isRole;
$retCode2=$?;
if ( $retCode2 != 0 )
@@ -527,7 +532,7 @@ else
$isLocked=0;
if ( $single == 1 )
{
- $searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock";
+ $searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock";
open (LDAP1, "$searchAccountLock |");
while (<LDAP1>) {
s/\n //g;
@@ -575,7 +580,7 @@ while ($cont == 0)
# ldapsearch -s one -b "cn=mapping tree,cn=config" "cn=\"uid=jvedder,ou=People,o=sun.com\""
#
debug("\tSuffix from the entry: #@suffixN#\n");
- @mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `;
+ @mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `;
$retCode=$?;
if ( $retCode != 0 )
@@ -649,7 +654,7 @@ if ( $operation eq "inactivate" )
"\'cn=\"cn=nsDisabledRole,@suffixN\",cn=nsAccountInactivationTmp,@suffixN\'",
"cn=nsAccountInactivation_cos,@suffixN" );
- $addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c -a >> {{DEV-NULL}} 2>&1 ";
+ $addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c -a >> {{DEV-NULL}} 2>&1 ";
@role1=(
"dn: cn=nsManagedDisabledRole,@suffixN\n",
"objectclass: LDAPsubentry\n",
@@ -818,7 +823,7 @@ elsif ( $operation eq "activate" || $operation eq "get status of" )
#
# Inactivate/activate the entry
#
-$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c >> {{DEV-NULL}} 2>&1";
+$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c >> {{DEV-NULL}} 2>&1";
if ( $single == 1 )
{
@record=(
diff --git a/ldap/admin/src/scripts/template-ns-inactivate.pl.in b/ldap/admin/src/scripts/template-ns-inactivate.pl.in
index 8e2e590..3cc53e9 100644
--- a/ldap/admin/src/scripts/template-ns-inactivate.pl.in
+++ b/ldap/admin/src/scripts/template-ns-inactivate.pl.in
@@ -43,6 +43,9 @@
# SUB-ROUTINES
###############################
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
sub usage_and_exit
{
print (STDERR "$cmd [-D rootdn] { -w password | -w - | -j filename } \n");
@@ -110,7 +113,7 @@ sub indirectLock
my $L_local;
-`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `;
+`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `;
$retCode=$?;
if ( $retCode != 0 )
{
@@ -119,13 +122,13 @@ if ( $retCode != 0 )
}
# Check if the role is a nested role
- @L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\" ";
+ @L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\" ";
# L_isNested == 1 means that we are going through a nested role, so for each member of that
# nested role, check that the member is below the scope of the nested
$L_isNested=@L_Nested;
# Not Direct Lock, Go through roles if any
- $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn ";
+ $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn ";
debug("\t-->indirectLock: check if $L_entry is part of a locked role from base $L_base\n\n");
@@ -247,7 +250,7 @@ sub memberOf
my $L_search;
my $L_currentrole;
- $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole";
+ $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole";
debug("\t\t-->memberOf: $L_search: check if $L_entry has $L_nsroledn as nsroledn attribute\n");
@@ -412,6 +415,7 @@ $defport= "{{SERVER-PORT}}";
# User values
$rootdn= "{{ROOT-DN}}";
$rootpw= "";
+$escaped= "";
$pwfile= "";
$host= "{{SERVER-NAME}}";
$port= "{{SERVER-PORT}}";
@@ -493,7 +497,8 @@ if( $entry eq "" )
# Check the actual existence of the entry to inactivate/activate
# and at the same time, validate the various parm: port, host, rootdn, rootpw
#
-@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" dn`;
+$escaped = shellEscape($rootpw);
+@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" dn`;
$retCode1=$?;
if ( $retCode1 != 0 )
{
@@ -501,7 +506,7 @@ if ( $retCode1 != 0 )
exit $retCode1;
}
-@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`;
+@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`;
$nbLineRole=@isRole;
$retCode2=$?;
if ( $retCode2 != 0 )
@@ -527,7 +532,7 @@ else
$isLocked=0;
if ( $single == 1 )
{
- $searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock";
+ $searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock";
open (LDAP1, "$searchAccountLock |");
while (<LDAP1>) {
s/\n //g;
@@ -575,7 +580,7 @@ while ($cont == 0)
# ldapsearch -s one -b "cn=mapping tree,cn=config" "cn=\"uid=jvedder,ou=People,o=sun.com\""
#
debug("\tSuffix from the entry: #@suffixN#\n");
- @mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `;
+ @mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `;
$retCode=$?;
if ( $retCode != 0 )
@@ -649,7 +654,7 @@ if ( $operation eq "inactivate" )
"\'cn=\"cn=nsDisabledRole,@suffixN\",cn=nsAccountInactivationTmp,@suffixN\'",
"cn=nsAccountInactivation_cos,@suffixN" );
- $addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c -a >> {{DEV-NULL}} 2>&1 ";
+ $addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c -a >> {{DEV-NULL}} 2>&1 ";
@role1=(
"dn: cn=nsManagedDisabledRole,@suffixN\n",
"objectclass: LDAPsubentry\n",
@@ -818,7 +823,7 @@ elsif ( $operation eq "activate" || $operation eq "get status of" )
#
# Inactivate/activate the entry
#
-$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c >> {{DEV-NULL}} 2>&1";
+$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c >> {{DEV-NULL}} 2>&1";
if ( $single == 1 )
{
@record=(
diff --git a/ldap/admin/src/scripts/template-ns-newpwpolicy.pl.in b/ldap/admin/src/scripts/template-ns-newpwpolicy.pl.in
index bd9b238..a41c342 100755
--- a/ldap/admin/src/scripts/template-ns-newpwpolicy.pl.in
+++ b/ldap/admin/src/scripts/template-ns-newpwpolicy.pl.in
@@ -40,6 +40,7 @@
#
use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
# enable the use of our bundled perldap with our bundled ldapsdk libraries
# all of this nonsense can be omitted if the mozldapsdk and perldap are
@@ -112,6 +113,7 @@ sub usage {
print (STDERR "Please provide at least -S or -U option.\n\n");
}
+ $escaped = shellEscape($opt_w);
# Now, check if the user/group exists
if ($opt_S) {
@@ -126,8 +128,8 @@ sub usage {
"cn=nsPwPolicy_cos,$opt_S"
);
- $ldapadd="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w \"$opt_w\" -c -a 2>&1";
- $modifyCfg="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w \"$opt_w\" -c 2>&1";
+ $ldapadd="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w $escaped -c -a 2>&1";
+ $modifyCfg="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w $escaped -c 2>&1";
@container=(
"dn: cn=nsPwPolicyContainer,$opt_S\n",
@@ -223,8 +225,8 @@ sub usage {
"cn=cn\\=nsPwPolicyEntry\\,$esc_opt_U,cn=nsPwPolicyContainer,$parentDN"
);
- $ldapadd="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w \"$opt_w\" -c -a 2>&1";
- $modifyCfg="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w \"$opt_w\" -c 2>&1";
+ $ldapadd="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w $escaped -c -a 2>&1";
+ $modifyCfg="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w $escaped -c 2>&1";
@container=(
"dn: cn=nsPwPolicyContainer,$parentDN\n",
diff --git a/ldap/admin/src/scripts/template-schema-reload.pl.in b/ldap/admin/src/scripts/template-schema-reload.pl.in
index 6b64b5e..96cc48d 100644
--- a/ldap/admin/src/scripts/template-schema-reload.pl.in
+++ b/ldap/admin/src/scripts/template-schema-reload.pl.in
@@ -39,6 +39,9 @@
# END COPYRIGHT BLOCK
#
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
sub usage {
print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
print(STDERR " [-d schemadir]\n");
@@ -152,7 +155,8 @@ if ( $schemadir_arg ne "" )
}
$entry = "${dn}${misc}${cn}${basedn}${schemadir}";
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
+$escaped = shellEscape($passwd);
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
print(FOO "$entry");
close(FOO);
$retcode = $?>>8;
diff --git a/ldap/admin/src/scripts/template-syntax-validate.pl.in b/ldap/admin/src/scripts/template-syntax-validate.pl.in
index b40ef69..6008a2d 100644
--- a/ldap/admin/src/scripts/template-syntax-validate.pl.in
+++ b/ldap/admin/src/scripts/template-syntax-validate.pl.in
@@ -39,6 +39,9 @@
# END COPYRIGHT BLOCK
#
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
sub usage {
print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
print(STDERR " -b baseDN [-f filter]\n");
@@ -163,7 +166,8 @@ if ( $filter_arg ne "" )
}
$entry = "${dn}${misc}${cn}${basedn}${filter}";
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
+$escaped = shellEscape($passwd);
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
print(FOO "$entry");
close(FOO);
$retcode = $?>>8;
diff --git a/ldap/admin/src/scripts/template-usn-tombstone-cleanup.pl.in b/ldap/admin/src/scripts/template-usn-tombstone-cleanup.pl.in
index 92c106d..928ccc9 100644
--- a/ldap/admin/src/scripts/template-usn-tombstone-cleanup.pl.in
+++ b/ldap/admin/src/scripts/template-usn-tombstone-cleanup.pl.in
@@ -38,6 +38,9 @@
# END COPYRIGHT BLOCK
#
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
sub usage {
print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } -s suffix | -n backend [ -m maxusn_to_delete ]\n");
print(STDERR " Opts: -D rootdn - Directory Manager\n");
@@ -180,7 +183,8 @@ if ( $maxusn_arg ne "" )
}
$entry = "${dn}${misc}${cn}${basedn}${args}";
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
+$escaped = shellEscape($passwd);
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
print(FOO "$entry");
close(FOO);
$retcode = $?>>8;
--
1.9.3