From cfb84033a5bb0748718d9e303a64591475ff1f2d Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Thu, 16 Apr 2015 16:10:49 -0700 Subject: [PATCH 315/319] Ticket #48143 - Password is not correctly passed to perl command line tools if it contains shell special characters. Description: If a password contains shell special characters such as '$', '!', '"', or ''', they were evaluated before passing to the core programs, e.g., ns-slapd for import and export or ldapmodify for tasks. This patch escapes the special characters using shellEscape subroutine in DSUtil.pm. Example: Directory Manager Password: pas$w!or'd" $ ./db2ldif.pl -n userRoot -D 'cn=directory manager' -w pas\$w\!or\'d\" Successfully added task entry "cn=export_2015_4_7_15_17_16,cn=export,cn=tasks,cn=config" Reviewed by rmeggins@redhat.com (Thank you, Rich!!) https://fedorahosted.org/389/ticket/48143 (cherry picked from commit 68b1039769e8fd8d3ee39bcac8f57f7f3d37ee1a) --- ldap/admin/src/scripts/template-bak2db.pl.in | 6 +++++- ldap/admin/src/scripts/template-cleanallruv.pl.in | 6 +++++- ldap/admin/src/scripts/template-db2bak.pl.in | 6 +++++- ldap/admin/src/scripts/template-db2index.pl.in | 6 +++++- ldap/admin/src/scripts/template-db2ldif.pl.in | 6 +++++- .../src/scripts/template-fixup-linkedattrs.pl.in | 6 +++++- .../src/scripts/template-fixup-memberof.pl.in | 6 +++++- ldap/admin/src/scripts/template-ldif2db.pl.in | 6 +++++- .../src/scripts/template-ns-accountstatus.pl.in | 25 +++++++++++++--------- ldap/admin/src/scripts/template-ns-activate.pl.in | 25 +++++++++++++--------- .../admin/src/scripts/template-ns-inactivate.pl.in | 25 +++++++++++++--------- .../src/scripts/template-ns-newpwpolicy.pl.in | 10 +++++---- .../admin/src/scripts/template-schema-reload.pl.in | 6 +++++- .../src/scripts/template-syntax-validate.pl.in | 6 +++++- .../scripts/template-usn-tombstone-cleanup.pl.in | 6 +++++- 15 files changed, 106 insertions(+), 45 deletions(-) diff --git a/ldap/admin/src/scripts/template-bak2db.pl.in b/ldap/admin/src/scripts/template-bak2db.pl.in index 2f243ba..61cc510 100644 --- a/ldap/admin/src/scripts/template-bak2db.pl.in +++ b/ldap/admin/src/scripts/template-bak2db.pl.in @@ -39,6 +39,9 @@ # END COPYRIGHT BLOCK # +use lib qw(@perlpath@); +use DSUtil qw(shellEscape); + sub usage { print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n"); print(STDERR " : -a dirname [-t dbtype]\n"); @@ -132,7 +135,8 @@ libpath_add("@nss_libdir@"); libpath_add("/usr/lib"); $ENV{'SHLIB_PATH'} = "$ENV{'LD_LIBRARY_PATH'}"; -open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" ); +$escaped = shellEscape($passwd); +open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" ); print(FOO "$entry"); close(FOO); $retcode = $?>>8; diff --git a/ldap/admin/src/scripts/template-cleanallruv.pl.in b/ldap/admin/src/scripts/template-cleanallruv.pl.in index 437a3c0..6dfeec6 100644 --- a/ldap/admin/src/scripts/template-cleanallruv.pl.in +++ b/ldap/admin/src/scripts/template-cleanallruv.pl.in @@ -39,6 +39,9 @@ # END COPYRIGHT BLOCK # +use lib qw(@perlpath@); +use DSUtil qw(shellEscape); + sub usage { print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n"); print(STDERR " [-b basedn | -r rid | -A]\n"); @@ -168,7 +171,8 @@ $rid = "replica-id: $rid\n"; $entry = "${dn}${misc}${cn}${basedn}${rid}"; -open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" ); +$escaped = shellEscape($passwd); +open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" ); print(FOO "$entry"); close(FOO); $retcode = $?>>8; diff --git a/ldap/admin/src/scripts/template-db2bak.pl.in b/ldap/admin/src/scripts/template-db2bak.pl.in index 329664f..6349f34 100644 --- a/ldap/admin/src/scripts/template-db2bak.pl.in +++ b/ldap/admin/src/scripts/template-db2bak.pl.in @@ -39,6 +39,9 @@ # END COPYRIGHT BLOCK # +use lib qw(@perlpath@); +use DSUtil qw(shellEscape); + sub usage { print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n"); print(STDERR " [-a dirname] [-t dbtype]\n"); @@ -122,7 +125,8 @@ libpath_add("/usr/lib"); $ENV{'SHLIB_PATH'} = "$ENV{'LD_LIBRARY_PATH'}"; print("Back up directory: $archivedir\n"); -open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" ); +$escaped = shellEscape($passwd); +open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" ); print(FOO "$entry"); close(FOO); $retcode = $?>>8; diff --git a/ldap/admin/src/scripts/template-db2index.pl.in b/ldap/admin/src/scripts/template-db2index.pl.in index 39454c5..2423d36 100644 --- a/ldap/admin/src/scripts/template-db2index.pl.in +++ b/ldap/admin/src/scripts/template-db2index.pl.in @@ -39,6 +39,9 @@ # END COPYRIGHT BLOCK # +use lib qw(@perlpath@); +use DSUtil qw(shellEscape); + sub usage { print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n"); print(STDERR " -n instance [-t attributeName[:indextypes[:matchingrules]]]\n"); @@ -226,7 +229,8 @@ $cn = "cn: $taskname\n"; $nsinstance = "nsInstance: ${instance}\n"; $entry = "${dn}${misc}${cn}${nsinstance}${attribute}${vlvattribute}"; -open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" ); +$escaped = shellEscape($passwd); +open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" ); print(FOO "$entry"); close(FOO); $retcode = $?>>8; diff --git a/ldap/admin/src/scripts/template-db2ldif.pl.in b/ldap/admin/src/scripts/template-db2ldif.pl.in index febedd4..d1b1f39 100644 --- a/ldap/admin/src/scripts/template-db2ldif.pl.in +++ b/ldap/admin/src/scripts/template-db2ldif.pl.in @@ -39,6 +39,9 @@ # END COPYRIGHT BLOCK # +use lib qw(@perlpath@); +use DSUtil qw(shellEscape); + sub usage { print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n"); print(STDERR " {-n instance}* | {-s include}* [{-x exclude}*] \n"); @@ -266,7 +269,8 @@ libpath_add("/usr/lib"); $ENV{'SHLIB_PATH'} = "$ENV{'LD_LIBRARY_PATH'}"; print("Exporting to ldif file: ${ldiffile}\n"); -open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" ); +$escaped = shellEscape($passwd); +open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" ); print(FOO "$entry"); close(FOO); $retcode = $?>>8; diff --git a/ldap/admin/src/scripts/template-fixup-linkedattrs.pl.in b/ldap/admin/src/scripts/template-fixup-linkedattrs.pl.in index 67f0b31..d9dd336 100644 --- a/ldap/admin/src/scripts/template-fixup-linkedattrs.pl.in +++ b/ldap/admin/src/scripts/template-fixup-linkedattrs.pl.in @@ -39,6 +39,9 @@ # END COPYRIGHT BLOCK # +use lib qw(@perlpath@); +use DSUtil qw(shellEscape); + sub usage { print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n"); print(STDERR " [-l linkDN]\n"); @@ -152,7 +155,8 @@ if ($linkdn_arg ne "") } $entry = "${dn}${misc}${cn}${basedn}${linkdn}"; -open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" ); +$escaped = shellEscape($passwd); +open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" ); print(FOO "$entry"); close(FOO); $retcode = $?>>8; diff --git a/ldap/admin/src/scripts/template-fixup-memberof.pl.in b/ldap/admin/src/scripts/template-fixup-memberof.pl.in index 77a1528..f05def0 100644 --- a/ldap/admin/src/scripts/template-fixup-memberof.pl.in +++ b/ldap/admin/src/scripts/template-fixup-memberof.pl.in @@ -39,6 +39,9 @@ # END COPYRIGHT BLOCK # +use lib qw(@perlpath@); +use DSUtil qw(shellEscape); + sub usage { print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n"); print(STDERR " -b baseDN [-f filter]\n"); @@ -163,7 +166,8 @@ if ( $filter_arg ne "" ) } $entry = "${dn}${misc}${cn}${basedn}${filter}"; -open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" ); +$escaped = shellEscape($passwd); +open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" ); print(FOO "$entry"); close(FOO); $retcode = $?>>8; diff --git a/ldap/admin/src/scripts/template-ldif2db.pl.in b/ldap/admin/src/scripts/template-ldif2db.pl.in index 1cf83b4..5fff029 100644 --- a/ldap/admin/src/scripts/template-ldif2db.pl.in +++ b/ldap/admin/src/scripts/template-ldif2db.pl.in @@ -39,6 +39,9 @@ # END COPYRIGHT BLOCK # +use lib qw(@perlpath@); +use DSUtil qw(shellEscape); + sub usage { print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n"); print(STDERR " -n instance | {-s include}* [{-x exclude}*] [-O] [-c]\n"); @@ -224,7 +227,8 @@ libpath_add("@nss_libdir@"); libpath_add("/usr/lib"); $ENV{'SHLIB_PATH'} = "$ENV{'LD_LIBRARY_PATH'}"; -open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" ); +$escaped = shellEscape($passwd); +open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" ); print(FOO "$entry"); close(FOO); $retcode = $?>>8; diff --git a/ldap/admin/src/scripts/template-ns-accountstatus.pl.in b/ldap/admin/src/scripts/template-ns-accountstatus.pl.in index 8e2e590..e97d1bc 100644 --- a/ldap/admin/src/scripts/template-ns-accountstatus.pl.in +++ b/ldap/admin/src/scripts/template-ns-accountstatus.pl.in @@ -43,6 +43,9 @@ # SUB-ROUTINES ############################### +use lib qw(@perlpath@); +use DSUtil qw(shellEscape); + sub usage_and_exit { print (STDERR "$cmd [-D rootdn] { -w password | -w - | -j filename } \n"); @@ -110,7 +113,7 @@ sub indirectLock my $L_local; -`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `; +`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `; $retCode=$?; if ( $retCode != 0 ) { @@ -119,13 +122,13 @@ if ( $retCode != 0 ) } # Check if the role is a nested role - @L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\" "; + @L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\" "; # L_isNested == 1 means that we are going through a nested role, so for each member of that # nested role, check that the member is below the scope of the nested $L_isNested=@L_Nested; # Not Direct Lock, Go through roles if any - $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn "; + $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn "; debug("\t-->indirectLock: check if $L_entry is part of a locked role from base $L_base\n\n"); @@ -247,7 +250,7 @@ sub memberOf my $L_search; my $L_currentrole; - $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole"; + $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole"; debug("\t\t-->memberOf: $L_search: check if $L_entry has $L_nsroledn as nsroledn attribute\n"); @@ -412,6 +415,7 @@ $defport= "{{SERVER-PORT}}"; # User values $rootdn= "{{ROOT-DN}}"; $rootpw= ""; +$escaped= ""; $pwfile= ""; $host= "{{SERVER-NAME}}"; $port= "{{SERVER-PORT}}"; @@ -489,11 +493,12 @@ if( $entry eq "" ) usage_and_exit(); } +$escaped = shellEscape($rootpw); # # Check the actual existence of the entry to inactivate/activate # and at the same time, validate the various parm: port, host, rootdn, rootpw # -@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" dn`; +@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" dn`; $retCode1=$?; if ( $retCode1 != 0 ) { @@ -501,7 +506,7 @@ if ( $retCode1 != 0 ) exit $retCode1; } -@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`; +@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`; $nbLineRole=@isRole; $retCode2=$?; if ( $retCode2 != 0 ) @@ -527,7 +532,7 @@ else $isLocked=0; if ( $single == 1 ) { - $searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock"; + $searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock"; open (LDAP1, "$searchAccountLock |"); while () { s/\n //g; @@ -575,7 +580,7 @@ while ($cont == 0) # ldapsearch -s one -b "cn=mapping tree,cn=config" "cn=\"uid=jvedder,ou=People,o=sun.com\"" # debug("\tSuffix from the entry: #@suffixN#\n"); - @mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `; + @mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `; $retCode=$?; if ( $retCode != 0 ) @@ -649,7 +654,7 @@ if ( $operation eq "inactivate" ) "\'cn=\"cn=nsDisabledRole,@suffixN\",cn=nsAccountInactivationTmp,@suffixN\'", "cn=nsAccountInactivation_cos,@suffixN" ); - $addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c -a >> {{DEV-NULL}} 2>&1 "; + $addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c -a >> {{DEV-NULL}} 2>&1 "; @role1=( "dn: cn=nsManagedDisabledRole,@suffixN\n", "objectclass: LDAPsubentry\n", @@ -818,7 +823,7 @@ elsif ( $operation eq "activate" || $operation eq "get status of" ) # # Inactivate/activate the entry # -$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c >> {{DEV-NULL}} 2>&1"; +$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c >> {{DEV-NULL}} 2>&1"; if ( $single == 1 ) { @record=( diff --git a/ldap/admin/src/scripts/template-ns-activate.pl.in b/ldap/admin/src/scripts/template-ns-activate.pl.in index 8e2e590..3cc53e9 100644 --- a/ldap/admin/src/scripts/template-ns-activate.pl.in +++ b/ldap/admin/src/scripts/template-ns-activate.pl.in @@ -43,6 +43,9 @@ # SUB-ROUTINES ############################### +use lib qw(@perlpath@); +use DSUtil qw(shellEscape); + sub usage_and_exit { print (STDERR "$cmd [-D rootdn] { -w password | -w - | -j filename } \n"); @@ -110,7 +113,7 @@ sub indirectLock my $L_local; -`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `; +`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `; $retCode=$?; if ( $retCode != 0 ) { @@ -119,13 +122,13 @@ if ( $retCode != 0 ) } # Check if the role is a nested role - @L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\" "; + @L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\" "; # L_isNested == 1 means that we are going through a nested role, so for each member of that # nested role, check that the member is below the scope of the nested $L_isNested=@L_Nested; # Not Direct Lock, Go through roles if any - $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn "; + $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn "; debug("\t-->indirectLock: check if $L_entry is part of a locked role from base $L_base\n\n"); @@ -247,7 +250,7 @@ sub memberOf my $L_search; my $L_currentrole; - $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole"; + $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole"; debug("\t\t-->memberOf: $L_search: check if $L_entry has $L_nsroledn as nsroledn attribute\n"); @@ -412,6 +415,7 @@ $defport= "{{SERVER-PORT}}"; # User values $rootdn= "{{ROOT-DN}}"; $rootpw= ""; +$escaped= ""; $pwfile= ""; $host= "{{SERVER-NAME}}"; $port= "{{SERVER-PORT}}"; @@ -493,7 +497,8 @@ if( $entry eq "" ) # Check the actual existence of the entry to inactivate/activate # and at the same time, validate the various parm: port, host, rootdn, rootpw # -@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" dn`; +$escaped = shellEscape($rootpw); +@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" dn`; $retCode1=$?; if ( $retCode1 != 0 ) { @@ -501,7 +506,7 @@ if ( $retCode1 != 0 ) exit $retCode1; } -@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`; +@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`; $nbLineRole=@isRole; $retCode2=$?; if ( $retCode2 != 0 ) @@ -527,7 +532,7 @@ else $isLocked=0; if ( $single == 1 ) { - $searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock"; + $searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock"; open (LDAP1, "$searchAccountLock |"); while () { s/\n //g; @@ -575,7 +580,7 @@ while ($cont == 0) # ldapsearch -s one -b "cn=mapping tree,cn=config" "cn=\"uid=jvedder,ou=People,o=sun.com\"" # debug("\tSuffix from the entry: #@suffixN#\n"); - @mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `; + @mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `; $retCode=$?; if ( $retCode != 0 ) @@ -649,7 +654,7 @@ if ( $operation eq "inactivate" ) "\'cn=\"cn=nsDisabledRole,@suffixN\",cn=nsAccountInactivationTmp,@suffixN\'", "cn=nsAccountInactivation_cos,@suffixN" ); - $addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c -a >> {{DEV-NULL}} 2>&1 "; + $addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c -a >> {{DEV-NULL}} 2>&1 "; @role1=( "dn: cn=nsManagedDisabledRole,@suffixN\n", "objectclass: LDAPsubentry\n", @@ -818,7 +823,7 @@ elsif ( $operation eq "activate" || $operation eq "get status of" ) # # Inactivate/activate the entry # -$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c >> {{DEV-NULL}} 2>&1"; +$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c >> {{DEV-NULL}} 2>&1"; if ( $single == 1 ) { @record=( diff --git a/ldap/admin/src/scripts/template-ns-inactivate.pl.in b/ldap/admin/src/scripts/template-ns-inactivate.pl.in index 8e2e590..3cc53e9 100644 --- a/ldap/admin/src/scripts/template-ns-inactivate.pl.in +++ b/ldap/admin/src/scripts/template-ns-inactivate.pl.in @@ -43,6 +43,9 @@ # SUB-ROUTINES ############################### +use lib qw(@perlpath@); +use DSUtil qw(shellEscape); + sub usage_and_exit { print (STDERR "$cmd [-D rootdn] { -w password | -w - | -j filename } \n"); @@ -110,7 +113,7 @@ sub indirectLock my $L_local; -`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `; +`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `; $retCode=$?; if ( $retCode != 0 ) { @@ -119,13 +122,13 @@ if ( $retCode != 0 ) } # Check if the role is a nested role - @L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\" "; + @L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\" "; # L_isNested == 1 means that we are going through a nested role, so for each member of that # nested role, check that the member is below the scope of the nested $L_isNested=@L_Nested; # Not Direct Lock, Go through roles if any - $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn "; + $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn "; debug("\t-->indirectLock: check if $L_entry is part of a locked role from base $L_base\n\n"); @@ -247,7 +250,7 @@ sub memberOf my $L_search; my $L_currentrole; - $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole"; + $L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole"; debug("\t\t-->memberOf: $L_search: check if $L_entry has $L_nsroledn as nsroledn attribute\n"); @@ -412,6 +415,7 @@ $defport= "{{SERVER-PORT}}"; # User values $rootdn= "{{ROOT-DN}}"; $rootpw= ""; +$escaped= ""; $pwfile= ""; $host= "{{SERVER-NAME}}"; $port= "{{SERVER-PORT}}"; @@ -493,7 +497,8 @@ if( $entry eq "" ) # Check the actual existence of the entry to inactivate/activate # and at the same time, validate the various parm: port, host, rootdn, rootpw # -@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" dn`; +$escaped = shellEscape($rootpw); +@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" dn`; $retCode1=$?; if ( $retCode1 != 0 ) { @@ -501,7 +506,7 @@ if ( $retCode1 != 0 ) exit $retCode1; } -@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`; +@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`; $nbLineRole=@isRole; $retCode2=$?; if ( $retCode2 != 0 ) @@ -527,7 +532,7 @@ else $isLocked=0; if ( $single == 1 ) { - $searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock"; + $searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock"; open (LDAP1, "$searchAccountLock |"); while () { s/\n //g; @@ -575,7 +580,7 @@ while ($cont == 0) # ldapsearch -s one -b "cn=mapping tree,cn=config" "cn=\"uid=jvedder,ou=People,o=sun.com\"" # debug("\tSuffix from the entry: #@suffixN#\n"); - @mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `; + @mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `; $retCode=$?; if ( $retCode != 0 ) @@ -649,7 +654,7 @@ if ( $operation eq "inactivate" ) "\'cn=\"cn=nsDisabledRole,@suffixN\",cn=nsAccountInactivationTmp,@suffixN\'", "cn=nsAccountInactivation_cos,@suffixN" ); - $addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c -a >> {{DEV-NULL}} 2>&1 "; + $addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c -a >> {{DEV-NULL}} 2>&1 "; @role1=( "dn: cn=nsManagedDisabledRole,@suffixN\n", "objectclass: LDAPsubentry\n", @@ -818,7 +823,7 @@ elsif ( $operation eq "activate" || $operation eq "get status of" ) # # Inactivate/activate the entry # -$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c >> {{DEV-NULL}} 2>&1"; +$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c >> {{DEV-NULL}} 2>&1"; if ( $single == 1 ) { @record=( diff --git a/ldap/admin/src/scripts/template-ns-newpwpolicy.pl.in b/ldap/admin/src/scripts/template-ns-newpwpolicy.pl.in index bd9b238..a41c342 100755 --- a/ldap/admin/src/scripts/template-ns-newpwpolicy.pl.in +++ b/ldap/admin/src/scripts/template-ns-newpwpolicy.pl.in @@ -40,6 +40,7 @@ # use lib qw(@perlpath@); +use DSUtil qw(shellEscape); # enable the use of our bundled perldap with our bundled ldapsdk libraries # all of this nonsense can be omitted if the mozldapsdk and perldap are @@ -112,6 +113,7 @@ sub usage { print (STDERR "Please provide at least -S or -U option.\n\n"); } + $escaped = shellEscape($opt_w); # Now, check if the user/group exists if ($opt_S) { @@ -126,8 +128,8 @@ sub usage { "cn=nsPwPolicy_cos,$opt_S" ); - $ldapadd="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w \"$opt_w\" -c -a 2>&1"; - $modifyCfg="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w \"$opt_w\" -c 2>&1"; + $ldapadd="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w $escaped -c -a 2>&1"; + $modifyCfg="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w $escaped -c 2>&1"; @container=( "dn: cn=nsPwPolicyContainer,$opt_S\n", @@ -223,8 +225,8 @@ sub usage { "cn=cn\\=nsPwPolicyEntry\\,$esc_opt_U,cn=nsPwPolicyContainer,$parentDN" ); - $ldapadd="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w \"$opt_w\" -c -a 2>&1"; - $modifyCfg="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w \"$opt_w\" -c 2>&1"; + $ldapadd="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w $escaped -c -a 2>&1"; + $modifyCfg="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w $escaped -c 2>&1"; @container=( "dn: cn=nsPwPolicyContainer,$parentDN\n", diff --git a/ldap/admin/src/scripts/template-schema-reload.pl.in b/ldap/admin/src/scripts/template-schema-reload.pl.in index 6b64b5e..96cc48d 100644 --- a/ldap/admin/src/scripts/template-schema-reload.pl.in +++ b/ldap/admin/src/scripts/template-schema-reload.pl.in @@ -39,6 +39,9 @@ # END COPYRIGHT BLOCK # +use lib qw(@perlpath@); +use DSUtil qw(shellEscape); + sub usage { print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n"); print(STDERR " [-d schemadir]\n"); @@ -152,7 +155,8 @@ if ( $schemadir_arg ne "" ) } $entry = "${dn}${misc}${cn}${basedn}${schemadir}"; -open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" ); +$escaped = shellEscape($passwd); +open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" ); print(FOO "$entry"); close(FOO); $retcode = $?>>8; diff --git a/ldap/admin/src/scripts/template-syntax-validate.pl.in b/ldap/admin/src/scripts/template-syntax-validate.pl.in index b40ef69..6008a2d 100644 --- a/ldap/admin/src/scripts/template-syntax-validate.pl.in +++ b/ldap/admin/src/scripts/template-syntax-validate.pl.in @@ -39,6 +39,9 @@ # END COPYRIGHT BLOCK # +use lib qw(@perlpath@); +use DSUtil qw(shellEscape); + sub usage { print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n"); print(STDERR " -b baseDN [-f filter]\n"); @@ -163,7 +166,8 @@ if ( $filter_arg ne "" ) } $entry = "${dn}${misc}${cn}${basedn}${filter}"; -open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" ); +$escaped = shellEscape($passwd); +open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" ); print(FOO "$entry"); close(FOO); $retcode = $?>>8; diff --git a/ldap/admin/src/scripts/template-usn-tombstone-cleanup.pl.in b/ldap/admin/src/scripts/template-usn-tombstone-cleanup.pl.in index 92c106d..928ccc9 100644 --- a/ldap/admin/src/scripts/template-usn-tombstone-cleanup.pl.in +++ b/ldap/admin/src/scripts/template-usn-tombstone-cleanup.pl.in @@ -38,6 +38,9 @@ # END COPYRIGHT BLOCK # +use lib qw(@perlpath@); +use DSUtil qw(shellEscape); + sub usage { print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } -s suffix | -n backend [ -m maxusn_to_delete ]\n"); print(STDERR " Opts: -D rootdn - Directory Manager\n"); @@ -180,7 +183,8 @@ if ( $maxusn_arg ne "" ) } $entry = "${dn}${misc}${cn}${basedn}${args}"; -open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" ); +$escaped = shellEscape($passwd); +open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" ); print(FOO "$entry"); close(FOO); $retcode = $?>>8; -- 1.9.3