https://bugs.kde.org/show_bug.cgi?id=432757
Bug ID: 432757 Summary: kdenetwork-filesharing: AuthHelper does not sanitize command-line arguments Product: dolphin Version: unspecified Platform: Other OS: Linux Status: REPORTED Severity: normal Priority: NOR Component: general Assignee: dolphin-bugs-n...@kde.org Reporter: wolfgang.fri...@suse.com CC: kfm-de...@kde.org Target Milestone: --- During a review of kdenetwork-filesharing [0] for inclusion in openSUSE Tumbleweed , I found an issue with the plugin's input validation of `authhelper`. It accepts arbitrary strings as user names, which are passed verbatim to `pdbedit`, `smbpasswd` and `usermod` respectively. The privileged `authhelper` program does not sanitize user-supplied arguments properly. In particular, AuthHelper::createuser() accepts arbitrary strings as user names. AuthHelper::createuser() calls `['smbpasswd', '-L', '-s', '-D', '0', '-a', user]`, and writes the password to the child's stdin. Some problematic user name arguments are: * `-d`: Disables the Samba account for root. * `-e`: Enables the Samba account for root, if it was intentionally disabled. * `-n`: User root password set to none. Remediation: Validate user names before passing them to the child process. An example validation function can be found in the standard "shadow" package [1]. A simple regular expression `\A[a-z_][a-z0-9_-]*\z` should be sufficient. [0] https://bugzilla.opensuse.org/show_bug.cgi?id=1175633 [1] https://github.com/shadow-maint/shadow/blob/master/libmisc/chkname.c#L58 -- You are receiving this mail because: You are watching all bug changes.