git.ipfire.org Git - people/stevee/ipfire-2.x.git/commit

author	Adolf Belka <adolf.belka@ipfire.org>
	Sun, 9 Mar 2025 14:12:03 +0000 (15:12 +0100)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Mon, 10 Mar 2025 09:58:35 +0000 (09:58 +0000)
commit	00f280fdb1812f5afef1a55e08c1ddc1ba923800
tree	1f69caa55f0a2a7676778fa8c1ecaca88fb42888	tree
parent	21eb4dcc231fad6eae663e0dd6c9e93643476476	commit \| diff

vpnmain.cgi: Fixes bug12298 - IPSec password cannot use semicolon

- The password for the pkcs12 certificate is passed to the open ssl command via $opt but
   it is not quoted and so the ; is taken as the end of the command rather than as part
   of the password. This also means that a pkcs12 file is not created and the .pem
   intermediate file is what is left in the directory.
- This patch makes the -passout option quoted in the same way as the -name and -caname
   options.
- Based on being the same as the name and caname parts in $opt, I believe that this should
   not give rise to a vulnerability but I am open to being corrected.
- By quoting the -passout then the password must not contain double quotation marks, ",
   so a test for the password containing a " has been added.
- The message about the use of the double quotation mark has been added to the english,
   dutch and german language files. Feel free to correct if what I have used is not
   correct. Those are in the other patch of this patch set.
- Tested out on my testbed system. I was able to create a pkcs12 certificate with a
   password containing a variety of characters, including the semicolon, and getting
   a message that the password contains a double quotation mark when I used that.

Fixes: bug12298
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>