apostrophes aren't correctly encoded

akhepcat commented 7 years ago

The current code contains an unnecessary escape of the apostrophe within the sed command, causing apostrophes to not be XML encoded correctly. ( Current line 193)

Additionally, by unnecessary use of redirection, you're exposing the password to external processes. Internal bash functions should be used instead for /slightly/ more security.

Here's a quick example of the current (broken), a fixed version, and the internal-only code.

$ ./fixpass.sh
password: a;b'c"d&e<f>g!
     raw: a;b'c"d&e<f>g!
   broke: a;b'c&quot;d&amp;e&lt;f&gt;g!&apos;
   fixed: a;b&apos;c&quot;d&amp;e&lt;f&gt;g!
internal: a;b&apos;c&quot;d&amp;e&lt;f&gt;g!

$ cat fixpass.sh
#!/bin/bash
echo -n "password: "
read USER_PASS
USER_PASS_XML_BROKE=$(echo "$USER_PASS" | sed -e 's~&~\&amp;~g' -e 's~<~\&lt;~g' -e 's~>~\&gt;~g' -e 's~\"~\&quot;~g' -e "s~\'~\&apos;~g" )
USER_PASS_XML_FIXED=$(echo "$USER_PASS" | sed -e 's~&~\&amp;~g; s~<~\&lt;~g; s~>~\&gt;~g; s~\"~\&quot;~g;' -e "s~'~\&apos;~g;" )

USER_PASS_FIX_INT=${USER_PASS//&/&amp;}
USER_PASS_FIX_INT=${USER_PASS_FIX_INT//</&lt;}
USER_PASS_FIX_INT=${USER_PASS_FIX_INT//>/&gt;}
USER_PASS_FIX_INT=${USER_PASS_FIX_INT//\"/&quot;}
USER_PASS_FIX_INT=${USER_PASS_FIX_INT//\'/&apos;}

echo "     raw: ${USER_PASS}"
echo "   broke: ${USER_PASS_XML_BROKE}"
echo "   fixed: ${USER_PASS_XML_FIXED}"
echo "internal: ${USER_PASS_FIX_INT}"

homebysix commented 7 years ago

Love this. Thank you @akhepcat!

homebysix commented 7 years ago

Fixed by https://github.com/homebysix/jss-filevault-reissue/commit/c96d98faef33ff805dc7b9806c92a2f690d3d07e.

homebysix / jss-filevault-reissue

apostrophes aren't correctly encoded #3