Merge pull request #253 from Koumbit/247_escape-mysql-passwords-at-install

Fix #247: escape mysql passwords at install Backport from merge set in stable-3.1 Merge remote-tracking branch 'remotes/koumbit/247_escape-mysql-passwords-at-install'
2023-08-15 10:23:13 +02:00 · 2023-08-15 10:23:13 +02:00 · 9e2345bc2b
parent d78a5026ab 5a4f924088
commit 9e2345bc2b
1 changed files with 16 additions and 5 deletions
--- a/install/alternc.install
+++ b/install/alternc.install
@ -264,6 +264,14 @@ PHPMYADMIN_BLOWFISH="$(generate_string 32)"
 # XXX: I assume this is secure if /tmp is sticky (+t)
 # we should have a better way to deal with templating, of course.
 SED_SCRIPT="/tmp/alternc.install.sedscript"
+# Escape passwords for sed and restore afterwards
+# Escaping '&' and '|' since those are used as special characters
+MYSQL_PASS_ORIG="$MYSQL_PASS"
+MYSQL_PASS=$(echo "$MYSQL_PASS" | sed -e 's/[|&]/\\&/g')
+MYSQL_MAIL_PASS_ORIG="$MYSQL_MAIL_PASS"
+MYSQL_MAIL_PASS=$(echo "$MYSQL_MAIL_PASS" | sed -e 's/[|&]/\\&/g')
+PHPMYADMIN_BLOWFISH_ORIG="$PHPMYADMIN_BLOWFISH_ORIG"
+PHPMYADMIN_BLOWFISH=$(echo "$PHPMYADMIN_BLOWFISH" | sed -e 's/[|&]/\\&/g')
 cat > $SED_SCRIPT <<EOF
 s\\%%hosting%%\\$HOSTING\\;
 s\\%%fqdn%%\\$FQDN\\;
@ -277,9 +285,9 @@ s\\%%mx%%\\$DEFAULT_MX\\;
 s\\%%dbhost%%\\$MYSQL_HOST\\;
 s\\%%dbname%%\\$MYSQL_DATABASE\\;
 s\\%%dbuser%%\\$MYSQL_USER\\;
-s\\%%dbpwd%%\\$MYSQL_PASS\\;
+s|%%dbpwd%%|$MYSQL_PASS|;
 s\\%%db_mail_user%%\\$MYSQL_MAIL_USER\\;
-s\\%%db_mail_pwd%%\\$MYSQL_MAIL_PASS\\;
+s|%%db_mail_pwd%%|$MYSQL_MAIL_PASS|;
 s\\%%warning_message%%\\$WARNING\\;
 s\\%%fqdn_lettre%%\\$FQDN_LETTER\\;
 s\\%%version%%\\$VERSION\\;
@ -287,12 +295,15 @@ s\\%%ns2_ip%%\\$NS2_IP\\;
 s\\%%ALTERNC_HTML%%\\$ALTERNC_HTML\\;
 s\\%%ALTERNC_MAIL%%\\$ALTERNC_MAIL\\;
 s\\%%ALTERNC_LOGS%%\\$ALTERNC_LOGS\\;
-s\\%%PHPMYADMIN_BLOWFISH%%\\$PHPMYADMIN_BLOWFISH\\;
+s|%%PHPMYADMIN_BLOWFISH%%|$PHPMYADMIN_BLOWFISH|;
 EOF
+MYSQL_PASS="$MYSQL_PASS_ORIG"
+MYSQL_MAIL_PASS="$MYSQL_MAIL_PASS_ORIG"
+PHPMYADMIN_BLOWFISH="$PHPMYADMIN_BLOWFISH_ORIG"

-# hook 
+# hook
 test -d /usr/lib/alternc/install.d || mkdir -p /usr/lib/alternc/install.d
-run-parts --arg=templates /usr/lib/alternc/install.d 
+run-parts --arg=templates /usr/lib/alternc/install.d


 ######################################################################