Try to resolve the name passed into the password reader to a file

Rather than comparing the value passed in by Apache to a
hostname value just see if there is a file of that name in
/var/lib/ipa/passwds.

Use realpath to see if path information was passed in as one of
the options so that someone can't try to return random files from
the filesystem.

https://pagure.io/freeipa/issue/7528

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Rob Crittenden 2018-09-19 08:35:57 -04:00
parent d020fc49a6
commit e3820682c7

View File

@ -5,32 +5,21 @@
# see the documentation of the aforementioned directive of the mod_ssl module. # see the documentation of the aforementioned directive of the mod_ssl module.
USAGE="./ipa-pwdreader host:port RSA|DSA|ECC|number" USAGE="./ipa-pwdreader host:port RSA|DSA|ECC|number"
ERR_UNKNOWN_KEY="\
ERROR: You seem to be running a non-standard IPA installation.
Please extend the /var/libexec/ipa/ipa-pwdreader script to cover your case."
if [ ! "$#" -eq 2 ]; then if [ "$#" -ne 2 ]; then
echo "Wrong number of arguments!" 1>&2 echo "Wrong number of arguments!" 1>&2
echo "$USAGE" 1>&2 echo "$USAGE" 1>&2
exit 1 exit 1
fi fi
fname=${1/:/-}-$2
pwdpath=/var/lib/ipa/passwds/$fname
case "$1" in # Make sure the values passed in do not contain path information
"${HOSTNAME}:443" ) checkpath=$(/usr/bin/realpath -e ${pwdpath} 2>/dev/null)
# Read IPA password
# IPA expects the password filename format to be if [ $pwdpath == "${checkpath}" ]; then
# <hostname>-<port>-<ecryption_algorithm> cat $pwdpath
IPA_PASSWD_PATH="/var/lib/ipa/passwds/${1/:/-}-$2" else
cat $IPA_PASSWD_PATH echo "Invalid path ${pwdpath}" 1>&2
;; fi
# ================
# Extend for more virtual hosts with
# <vhostname>:<vhost_port> )
# your_code
# ;;
# ================
*)
echo "$ERR_UNKNOWN_KEY" 1>&2
exit 1
esac