Bug #2002

Sogo mysql password unescaped: connection fails

Added by Davide Principi about 8 years ago. Updated about 8 years ago.

Status:CLOSEDStart date:06/07/2013
Priority:NormalDue date:06/07/2013
Assignee:-% Done:

100%

Category:nethserver-sogo
Target version:v6.4-beta2
Security class: Resolution:
Affected version:v6.4-beta1 NEEDINFO:No

Description

A password containing the slash "/" character breaks mysql connection string

In /var/log/sogo/sogo.log

ERROR(+[GCSFolderManager defaultFolderManager]): default 'OCSFolderInfoURL' is not a valid URL: 'mysql://sogo:MYPASS/ORD@localhost/sogo/sogo_folder_info'

"MYPASS/ORD" should be uri-escaped "MYPASS%2FORD"

uri-escape-mysql-password.patch Magnifier - Proposed solution (632 Bytes) Davide Principi, 06/06/2013 06:29 PM

Related issues

Related to NethServer 6 - Feature #1879: Mail-server: automatic subscription of group shared folders CLOSED 06/06/2013 06/06/2013
Related to NethServer 6 - Enhancement #2003: Mail-server: enable Listescape plugin CLOSED 06/07/2013 06/07/2013

Associated revisions

Revision 99c91db6
Added by Davide Principi about 8 years ago

sogo-config template (10mysql): uri-escape mysql password. Refs #2002

History

#1 Updated by Davide Principi about 8 years ago

  • Due date set to 06/07/2013
  • Status changed from TRIAGED to MODIFIED
  • Assignee set to Davide Principi
  • Target version set to v6.4-beta2
  • Start date set to 06/07/2013
  • % Done changed from 20 to 70

Test case

  1. Before nethserver-sogo installation create a password containing "/" character: 
        # echo -n "PASS/ORD" >  /etc/openldap/.sogo.pw && chmod 600 /etc/openldap/.sogo.pw
  2. Install nethserver-sogo. If it's already installed, drop mysql sogo database and signal nethserver-sogo-update event again
  3. Check mysql URI are correctly escaped:
        # su -s '/bin/bash' -c 'defaults read' sogo | grep mysql
sogod OCSSessionsFolderURL mysql://sogo:PASS%2FORD@localhost/sogo/sogo_sessions_folder
sogod SOGoProfileURL mysql://sogo:PASS%2FORD@localhost/sogo/sogo_user_profile
sogod OCSFolderInfoURL mysql://sogo:PASS%2FORD@localhost/sogo/sogo_folder_info

#2 Updated by Davide Principi about 8 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 70 to 80

In nethserver-testing
nethserver-sogo-1.1.1-1.ns6.noarch.rpm

#3 Updated by Davide Principi about 8 years ago

  • Assignee deleted (Davide Principi)

#4 Updated by Giacomo Sanchietti about 8 years ago

  • Assignee set to Giacomo Sanchietti

#5 Updated by Giacomo Sanchietti about 8 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 80 to 100

Created a password containing the / character:

echo -n "bad/password" >  /etc/openldap/.sogo.pw && chmod 600 /etc/openldap/.sogo.pw

SOGo configuration:

[root@test ~]# su -s '/bin/bash' -c 'defaults read' sogo | grep mysql
sogod OCSSessionsFolderURL mysql://sogo:bad%2Fpassword@localhost/sogo/sogo_sessions_folder
sogod SOGoProfileURL mysql://sogo:bad%2Fpassword@localhost/sogo/sogo_user_profile
sogod OCSFolderInfoURL mysql://sogo:bad%2Fpassword@localhost/sogo/sogo_folder_info

Created a test user who can access SOGo without problems.

Marking VERIFIED

#6 Updated by Davide Principi about 8 years ago

  • Status changed from VERIFIED to CLOSED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 90 to 100

Moved to nethserver-updates repository

Also available in: Atom PDF