CVE-2026-4408: s3:testparm: warn about 'check password script' %u usage

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index 156a78c0f6958b0933131a932ddbf1d4450bf852..b7ee97ef7c44cbf248cebdeb7a8d9c64f175ebb2 100644 (file)
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -384,6 +384,7 @@ static int do_global_checks(void)
        const char **lp_ptr = NULL;
        const struct loadparm_substitution *lp_sub =
                loadparm_s3_global_substitution();
+       const char *check_pw_script = NULL;
        int ival;
 
        fprintf(stderr, "\n");
@@ -856,6 +857,17 @@ static int do_global_checks(void)
 #endif
        }
 
+       check_pw_script = lp_check_password_script(talloc_tos(), lp_sub);
+       if (talloc_string_sub_mixed_quoting(check_pw_script, 'u')) {
+               fprintf(stderr,
+                       "WARNING: You are using 'check password script' "
+                       "with mixed quoting and %%u.\n"
+                       "CVE-2026-4408 changed the way %%u substitution works. \n"
+                       "You should use the SAMBA_CPS_ACCOUNT_NAME "
+                       "environment variable exported to the script, or\n"
+                       "at least use single quotes (directly) around '%%u'.\n\n");
+       }
+
        return ret;
 }