mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
Try to resolve the name passed into the password reader to a file
Rather than comparing the value passed in by Apache to a hostname value just see if there is a file of that name in /var/lib/ipa/passwds. Use realpath to see if path information was passed in as one of the options so that someone can't try to return random files from the filesystem. https://pagure.io/freeipa/issue/7528 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
parent
d020fc49a6
commit
e3820682c7
@ -5,32 +5,21 @@
|
|||||||
# see the documentation of the aforementioned directive of the mod_ssl module.
|
# see the documentation of the aforementioned directive of the mod_ssl module.
|
||||||
|
|
||||||
USAGE="./ipa-pwdreader host:port RSA|DSA|ECC|number"
|
USAGE="./ipa-pwdreader host:port RSA|DSA|ECC|number"
|
||||||
ERR_UNKNOWN_KEY="\
|
|
||||||
ERROR: You seem to be running a non-standard IPA installation.
|
|
||||||
Please extend the /var/libexec/ipa/ipa-pwdreader script to cover your case."
|
|
||||||
|
|
||||||
if [ ! "$#" -eq 2 ]; then
|
if [ "$#" -ne 2 ]; then
|
||||||
echo "Wrong number of arguments!" 1>&2
|
echo "Wrong number of arguments!" 1>&2
|
||||||
echo "$USAGE" 1>&2
|
echo "$USAGE" 1>&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
fname=${1/:/-}-$2
|
||||||
|
pwdpath=/var/lib/ipa/passwds/$fname
|
||||||
|
|
||||||
case "$1" in
|
# Make sure the values passed in do not contain path information
|
||||||
"${HOSTNAME}:443" )
|
checkpath=$(/usr/bin/realpath -e ${pwdpath} 2>/dev/null)
|
||||||
# Read IPA password
|
|
||||||
# IPA expects the password filename format to be
|
if [ $pwdpath == "${checkpath}" ]; then
|
||||||
# <hostname>-<port>-<ecryption_algorithm>
|
cat $pwdpath
|
||||||
IPA_PASSWD_PATH="/var/lib/ipa/passwds/${1/:/-}-$2"
|
else
|
||||||
cat $IPA_PASSWD_PATH
|
echo "Invalid path ${pwdpath}" 1>&2
|
||||||
;;
|
fi
|
||||||
# ================
|
|
||||||
# Extend for more virtual hosts with
|
|
||||||
# <vhostname>:<vhost_port> )
|
|
||||||
# your_code
|
|
||||||
# ;;
|
|
||||||
# ================
|
|
||||||
*)
|
|
||||||
echo "$ERR_UNKNOWN_KEY" 1>&2
|
|
||||||
exit 1
|
|
||||||
esac
|
|
||||||
|
Loading…
Reference in New Issue
Block a user