[dolphin] [Bug 432757] New: kdenetwork-filesharing: AuthHelper does not sanitize command-line arguments

[Wolfgang Frisch]

https://bugs.kde.org/show_bug.cgi?id=432757

            Bug ID: 432757
           Summary: kdenetwork-filesharing: AuthHelper does not sanitize
                    command-line arguments
           Product: dolphin
           Version: unspecified
          Platform: Other
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: general
          Assignee: dolphin-bugs-null at kde.org
          Reporter: wolfgang.frisch at suse.com
                CC: kfm-devel at kde.org
  Target Milestone: ---

During a review of kdenetwork-filesharing [0] for inclusion in openSUSE
Tumbleweed , I found an issue with the plugin's input validation of
`authhelper`. It accepts arbitrary strings as user names, which are passed
verbatim to `pdbedit`, `smbpasswd` and `usermod` respectively.

The privileged `authhelper` program does not sanitize user-supplied arguments
properly. In particular, AuthHelper::createuser() accepts arbitrary strings as
user names.

AuthHelper::createuser() calls `['smbpasswd', '-L', '-s', '-D', '0', '-a',
user]`, and writes the password to the child's stdin.

Some problematic user name arguments are:

* `-d`: Disables the Samba account for root.
* `-e`: Enables the Samba account for root, if it was intentionally disabled.
* `-n`: User root password set to none.

Remediation:

Validate user names before passing them to the child process. An example
validation function can be found in the standard "shadow" package [1]. A simple
regular expression `\A[a-z_][a-z0-9_-]*\z` should be sufficient.

[0] https://bugzilla.opensuse.org/show_bug.cgi?id=1175633
[1] https://github.com/shadow-maint/shadow/blob/master/libmisc/chkname.c#L58

-- 
You are receiving this mail because:
You are on the CC list for the bug.