Hi Mike, I didn't found time to address this bug today. But I'm back in my office on wednesday, sorry.
What version of GOsa do you use, 2.6.12? There is still escaping for the password hook parameters in html/password.php or do you mean another place where a hook is executed? Can you explain where exactly the problem occurs, this would help a lot? Fabian Am Freitag, den 27.04.2012, 10:34 +0200 schrieb Mike Gabriel: > Hi Fabian, > > re-including the BTS issue #665950 ... > > On Do 26 Apr 2012 10:41:53 CEST Fabian Hickert wrote: > > > The problem is that passwords with special chars break the hook > > execution? Is this correct? > > Yes, and more. All substituted variables within hook scripts bear the > risk of executing arbitrary code if spaces in %someHookVariable do not > get escaped. > > > I guess, I can test this tomorrow evening.. > > Please do! Thanks a lot for your immediate response. > > Greets, > Mike > > -- Besuchen Sie uns auf dem LinuxTag in Berlin vom 23.-26.05.2012. Halle 7.2a, Stand 133 Fabian Hickert <fabian.hick...@gonicus.de> (System Engineer) * GONICUS GmbH * Moehnestrasse 11-17 * D-59755 Arnsberg * Tel.: +49 (0) 29 32 / 9 16 - 0 * Fax: +49 (0) 29 32 / 9 16 - 242 * http://www.GONICUS.de * http://twitter.com/gonicus *Sitz der Gesellschaft: Moehnestrasse 11-17 * D-59755 Arnsberg *Geschaeftsfuehrer: Rainer Luelsdorf, Alfred Schroeder *Vorsitzender des Beirats: Juergen Michels *Amtsgericht Arnsberg * HRB 1968
signature.asc
Description: This is a digitally signed message part
