[Pkg-mailman-hackers] Bug#992186: mailman3-web: Quoting in postinst broken
Uwe Kleine-König
uwe at kleine-koenig.org
Sun Aug 15 12:42:42 BST 2021
Package: mailman3-web
Version: 0+20200530-2
Severity: normal
Hello,
mailman3-web's postinst contains:
if [ -n "$su_name" ] && [ -n "$su_mail" ] && [ -n "$su_password" ]; then
$su_cmd "$django_admin shell $django_admin_args --command \
\"from django.contrib.auth.models import User; \
User.objects.filter(username='$su_name').delete(); \
User.objects.create_superuser('$su_name', \
'$su_mail', '$su_password')\"" www-data
fi
This is not robust for su_password (or su_name or su_mail) containing "
or '. When in the debconf dialog such a password is provided, in the
simplest case the script terminates with
sh: 1: Syntax error: Unterminated quoted string
But worse things can happen, see https://xkcd.com/327/. :-)
Best regards
Uwe
-- System Information:
Debian Release: 11.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-8-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages mailman3-web depends on:
ii dbconfig-sqlite3 2.0.19
ii debconf [debconf-2.0] 1.5.77
ii init-system-helpers 1.60
ii lsb-base 11.1.0
ii python3 3.9.2-3
ii python3-django-hyperkitty 1.3.4-4
ii python3-django-postorius 1.3.4-2
ii python3-psycopg2 2.8.6-2
ii python3-whoosh 2.7.4+git6-g9134ad92-5
ii ucf 3.0043
ii uwsgi-core 2.0.19.1-7.1
ii uwsgi-plugin-python3 2.0.19.1-7.1
Versions of packages mailman3-web recommends:
ii libapache2-mod-proxy-uwsgi 2.4.48-3.1
Versions of packages mailman3-web suggests:
ii postgresql 13+225
-- debconf information excluded
More information about the Pkg-mailman-hackers
mailing list