Webtop: special characters in bind password breaks configuration

[stephdl]

When setting up an external LDAP system, the bind password is crucial for secure login. However, if this password includes special characters like double quotes ("), it can break the configuration. This is because the system uses bash expansion, where double quotes are interpreted as the end of the password. When the system encounters a quote, it mistakenly thinks the password ends there, which leads to errors.

This misinterpretation causes the configuration process to fail because the password isn't read correctly.

Steps to reproduce

• set up an external LDAP account provider and set a bind password of a user with a " (double quote) in the password of the bind user : here BindTestPassword" at the end
• Install webtop
• configure webtop
• you have an error of the configure-module action

Enqueued anchor job 47 postgres.service/start.
Enqueued auxiliary job 63 apache.service/start.
Enqueued auxiliary job 60 webapp.service/start.
Enqueued auxiliary job 61 z-push.service/start.
Enqueued auxiliary job 59 webtop.service/start.
Enqueued auxiliary job 62 webdav.service/start.
DELETE 0
INSERT 0 1
DELETE 0
INSERT 0 1
DELETE 1
INSERT 0 1
DELETE 1
DELETE 1
INSERT 0 1
INSERT 0 1
DELETE 1
DELETE 1
INSERT 0 1
INSERT 0 1
DELETE 1
INSERT 0 1
bash: -c: line 1: unexpected EOF while looking for matching `"'
bash: -c: line 2: syntax error: unexpected end of file
Traceback (most recent call last):
  File "/home/webtop1/.config/actions/configure-module/20config", line 265, in <module>
    domain_setup(mail_domain, user_domain)
  File "/home/webtop1/.config/actions/configure-module/20config", line 19, in domain_setup
    user_domain_password = subprocess.check_output(['podman', 'run', '--rm', os.environ["WEBTOP_WEBAPP_IMAGE"], 'bash', '-c', "echo -n " + user_domain["bind_password"] + " | java -classpath /usr/share/webtop/ WebtopPassEncode"], text=True).splitlines().pop()
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.11/subprocess.py", line 466, in check_output
    return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.11/subprocess.py", line 571, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['podman', 'run', '--rm', 'ghcr.io/nethserver/webtop-webapp:1.0.19', 'bash', '-c', 'echo -n BindTestPassword" | java -classpath /usr/share/webtop/ WebtopPassEncode']' returned non-zero exit status 2.

• the password BindTestPassword" breaks the configuration

Expected behavior

When setting up an LDAP system, I didn't expect that using double quotes in the bind password would break the configuration.

Actual behavior

This error should not exist. To prevent it, we must ensure that bash expansion does not occur. Instead, we need to use a secure method to pass the password into the Python function. By doing this, we can avoid issues caused by special characters like quotes in the password and ensure the configuration works correctly.

Components

webtop:1.0.19

See also

https://community.nethserver.org/t/webtop-with-external-ldap/23251

---

thank fausp

[stephdl]

QA

• configure an external LDAP on NS8 with a double quote in the bind password
• Install a mail server
• install the mail server ghcr.io/nethserver/mail:1.4.6-dev.1
• configure mail
• install the webtop version ghcr.io/nethserver/webtop:1.0.20-testing.1
• configure webtop
• go to the FQDN of webtop and do a login of a LDAP user

you must be able to see the dovecot folder, send and receive an email, no errors expected

[lucagasparini]

QA passed successfully.

[DavidePrincipi]

Released https://github.com/NethServer/ns8-webtop/releases/tag/1.0.20

[DavidePrincipi]

Released https://github.com/NethServer/ns8-mail/releases/tag/1.4.6