From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 8 May 2026 21:27:35 +0000 (+0200)
Subject: CVE-2026-4408: s3:testparm: warn about 'check password script' %u usage
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a4b214e799b74124f186c7da22e085d43e604cec;p=thirdparty%2Fsamba.git

CVE-2026-4408: s3:testparm: warn about 'check password script' %u usage

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---

diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index 156a78c0f69..b7ee97ef7c4 100644
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -384,6 +384,7 @@ static int do_global_checks(void)
 	const char **lp_ptr = NULL;
 	const struct loadparm_substitution *lp_sub =
 		loadparm_s3_global_substitution();
+	const char *check_pw_script = NULL;
 	int ival;
 
 	fprintf(stderr, "\n");
@@ -856,6 +857,17 @@ static int do_global_checks(void)
 #endif
 	}
 
+	check_pw_script = lp_check_password_script(talloc_tos(), lp_sub);
+	if (talloc_string_sub_mixed_quoting(check_pw_script, 'u')) {
+		fprintf(stderr,
+			"WARNING: You are using 'check password script' "
+			"with mixed quoting and %%u.\n"
+			"CVE-2026-4408 changed the way %%u substitution works. \n"
+			"You should use the SAMBA_CPS_ACCOUNT_NAME "
+			"environment variable exported to the script, or\n"
+			"at least use single quotes (directly) around '%%u'.\n\n");
+	}
+
 	return ret;
 }