mod_nss: use more robust quoting of NSSNickname directive

The code which handles configuration of mod_nss module must be more robust when handling NSS nicknames generated from subject names containing quoted RDN values. https://fedorahosted.org/freeipa/ticket/5809 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-09-23 15:56:46 +02:00 · 2016-09-23 15:56:46 +02:00 · ee96384c3e
commit ee96384c3e
parent 4d994bee60
2 changed files with 33 additions and 12 deletions
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@ -263,7 +263,8 @@ class HTTPInstance(service.Service):
            print("Updating port in %s failed." % paths.HTTPD_NSS_CONF)

    def __set_mod_nss_nickname(self, nickname):
-        installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSNickname', nickname)
+        installutils.set_directive(
+            paths.HTTPD_NSS_CONF, 'NSSNickname', nickname, quote_char="'")

    def set_mod_nss_protocol(self):
        installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSProtocol', 'TLSv1.0,TLSv1.1,TLSv1.2', False)
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@ -376,13 +376,35 @@ def update_file(filename, orig, subst):
        print("File %s doesn't exist." % filename)
        return 1

-def set_directive(filename, directive, value, quotes=True, separator=' '):
+
+def set_directive(filename, directive, value, quotes=True, separator=' ',
+                  quote_char='\"'):
    """Set a name/value pair directive in a configuration file.

    A value of None means to drop the directive.

    This has only been tested with nss.conf
+
+   :param directive: directive name
+   :param value: value of the directive
+   :param quotes: whether to quote `value` in `quote_char`. If true, then
+        the `quote_char` are first escaped to avoid unparseable directives
+   :param quote_char: the character used for quoting `value`
    """
+
+    def format_directive(directive, value, separator, quotes, quote_char):
+        directive_sep = "{directive}{separator}".format(directive=directive,
+                                                        separator=separator)
+        transformed_value = value
+        if quotes:
+            transformed_value = "{quote}{value}{quote}".format(
+                quote=quote_char,
+                value="".join(ipautil.escape_seq(quote_char, value))
+            )
+
+        return "{directive_sep}{value}\n".format(
+            directive_sep=directive_sep, value=transformed_value)
+
    valueset = False
    st = os.stat(filename)
    fd = open(filename)
@ -391,19 +413,17 @@ def set_directive(filename, directive, value, quotes=True, separator=' '):
        if line.lstrip().startswith(directive):
            valueset = True
            if value is not None:
-                if quotes:
-                    newfile.append('%s%s"%s"\n' % (directive, separator, value))
-                else:
-                    newfile.append('%s%s%s\n' % (directive, separator, value))
+                newfile.append(
+                    format_directive(
+                        directive, value, separator, quotes, quote_char))
        else:
            newfile.append(line)
    fd.close()
    if not valueset:
        if value is not None:
-            if quotes:
-                newfile.append('%s%s"%s"\n' % (directive, separator, value))
-            else:
-                newfile.append('%s%s%s\n' % (directive, separator, value))
+            newfile.append(
+                format_directive(
+                    directive, value, separator, quotes, quote_char))

    fd = open(filename, "w")
    fd.write("".join(newfile))