vpnmain.cgi: Fixes bug12298 - IPSec password cannot use semicolon

- The password for the pkcs12 certificate is passed to the open ssl command via $opt but
   it is not quoted and so the ; is taken as the end of the command rather than as part
   of the password. This also means that a pkcs12 file is not created and the .pem
   intermediate file is what is left in the directory.
- This patch makes the -passout option quoted in the same way as the -name and -caname
   options.
- Based on being the same as the name and caname parts in $opt, I believe that this should
   not give rise to a vulnerability but I am open to being corrected.
- By quoting the -passout then the password must not contain double quotation marks, ",
   so a test for the password containing a " has been added.
- The message about the use of the double quotation mark has been added to the english,
   dutch and german language files. Feel free to correct if what I have used is not
   correct. Those are in the other patch of this patch set.
- Tested out on my testbed system. I was able to create a pkcs12 certificate with a
   password containing a variety of characters, including the semicolon, and getting
   a message that the password contains a double quotation mark when I used that.

Fixes: bug12298
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
old mode 100755 (executable)
new mode 100644 (file)
index c9bbbb4..8106ee2
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -2149,6 +2149,10 @@ END
                        $errormessage = $Lang::tr{'password too short'};
                        goto VPNCONF_ERROR;
                }
+               if ($cgiparams{'CERT_PASS1'} =~ /["]/) {
+                       $errormessage = $Lang::tr{'password has quotation mark'};
+                       goto VPNCONF_ERROR;
+               }
                if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) {
                        $errormessage = $Lang::tr{'passwords do not match'};
                        goto VPNCONF_ERROR;
@@ -2226,7 +2230,7 @@ END
                $opt .= " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
                $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
                $opt .= " -name \"$cgiparams{'NAME'}\"";
-               $opt .= " -passout pass:$cgiparams{'CERT_PASS1'}";
+               $opt .= " -passout pass:\"$cgiparams{'CERT_PASS1'}\"";
                $opt .= " -certfile ${General::swroot}/ca/cacert.pem";
                $opt .= " -caname \"$vpnsettings{'ROOTCERT_ORGANIZATION'} CA\"";
                $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}.p12";