freeipa/install/tools/ipa-httpd-pwdreader
Rob Crittenden e3820682c7 Try to resolve the name passed into the password reader to a file
Rather than comparing the value passed in by Apache to a
hostname value just see if there is a file of that name in
/var/lib/ipa/passwds.

Use realpath to see if path information was passed in as one of
the options so that someone can't try to return random files from
the filesystem.

https://pagure.io/freeipa/issue/7528

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-09-19 11:42:49 -04:00

26 lines
690 B
Bash
Executable File

#!/bin/bash
# This program is a handler written for Apache mod_ssl's SSLPassPhraseDialog.
#
# If you'd like to write your custom binary providing passwords to mod_ssl,
# see the documentation of the aforementioned directive of the mod_ssl module.
USAGE="./ipa-pwdreader host:port RSA|DSA|ECC|number"
if [ "$#" -ne 2 ]; then
echo "Wrong number of arguments!" 1>&2
echo "$USAGE" 1>&2
exit 1
fi
fname=${1/:/-}-$2
pwdpath=/var/lib/ipa/passwds/$fname
# Make sure the values passed in do not contain path information
checkpath=$(/usr/bin/realpath -e ${pwdpath} 2>/dev/null)
if [ $pwdpath == "${checkpath}" ]; then
cat $pwdpath
else
echo "Invalid path ${pwdpath}" 1>&2
fi