From 68b1039769e8fd8d3ee39bcac8f57f7f3d37ee1a Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Apr 23 2015 01:38:03 +0000
Subject: Ticket #48143 - Password is not correctly passed to perl command line tools if it contains shell special characters.


Description: If a password contains shell special characters such as '$', '!',
'"', or ''', they were evaluated before passing to the core programs, e.g.,
ns-slapd for import and export or ldapmodify for tasks.

This patch escapes the special characters using shellEscape subroutine
in DSUtil.pm.

Example:
  Directory Manager Password: pas$w!or'd"
  $ ./db2ldif.pl -n userRoot -D 'cn=directory manager' -w pas\$w\!or\'d\"
  Successfully added task entry "cn=export_2015_4_7_15_17_16,cn=export,cn=tasks,cn=config"

Reviewed by rmeggins@redhat.com (Thank you, Rich!!)

https://fedorahosted.org/389/ticket/48143

---

diff --git a/ldap/admin/src/scripts/template-bak2db.pl.in b/ldap/admin/src/scripts/template-bak2db.pl.in
index 2f243ba..61cc510 100644
--- a/ldap/admin/src/scripts/template-bak2db.pl.in
+++ b/ldap/admin/src/scripts/template-bak2db.pl.in
@@ -39,6 +39,9 @@
 # END COPYRIGHT BLOCK
 #
 
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
 sub usage {
 	print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
 	print(STDERR "     :    -a dirname [-t dbtype]\n");
@@ -132,7 +135,8 @@ libpath_add("@nss_libdir@");
 libpath_add("/usr/lib");
 
 $ENV{'SHLIB_PATH'} = "$ENV{'LD_LIBRARY_PATH'}";
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
+$escaped = shellEscape($passwd);
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
 print(FOO "$entry");
 close(FOO);
 $retcode = $?>>8;
diff --git a/ldap/admin/src/scripts/template-cleanallruv.pl.in b/ldap/admin/src/scripts/template-cleanallruv.pl.in
index 437a3c0..6dfeec6 100644
--- a/ldap/admin/src/scripts/template-cleanallruv.pl.in
+++ b/ldap/admin/src/scripts/template-cleanallruv.pl.in
@@ -39,6 +39,9 @@
 # END COPYRIGHT BLOCK
 #
 
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
 sub usage {
     print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
     print(STDERR "        [-b basedn | -r rid | -A]\n");
@@ -168,7 +171,8 @@ $rid =    "replica-id: $rid\n";
 
 
 $entry = "${dn}${misc}${cn}${basedn}${rid}";
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
+$escaped = shellEscape($passwd);
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
 print(FOO "$entry");
 close(FOO);
 $retcode = $?>>8;
diff --git a/ldap/admin/src/scripts/template-db2bak.pl.in b/ldap/admin/src/scripts/template-db2bak.pl.in
index 329664f..6349f34 100644
--- a/ldap/admin/src/scripts/template-db2bak.pl.in
+++ b/ldap/admin/src/scripts/template-db2bak.pl.in
@@ -39,6 +39,9 @@
 # END COPYRIGHT BLOCK
 #
 
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
 sub usage {
 	print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
 	print(STDERR "          [-a dirname] [-t dbtype]\n");
@@ -122,7 +125,8 @@ libpath_add("/usr/lib");
 
 $ENV{'SHLIB_PATH'} = "$ENV{'LD_LIBRARY_PATH'}";
 print("Back up directory: $archivedir\n");
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
+$escaped = shellEscape($passwd);
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
 print(FOO "$entry");
 close(FOO);
 $retcode = $?>>8;
diff --git a/ldap/admin/src/scripts/template-db2index.pl.in b/ldap/admin/src/scripts/template-db2index.pl.in
index 39454c5..2423d36 100644
--- a/ldap/admin/src/scripts/template-db2index.pl.in
+++ b/ldap/admin/src/scripts/template-db2index.pl.in
@@ -39,6 +39,9 @@
 # END COPYRIGHT BLOCK
 #
 
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
 sub usage {
     print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
     print(STDERR "        -n instance [-t attributeName[:indextypes[:matchingrules]]]\n");
@@ -226,7 +229,8 @@ $cn =  "cn: $taskname\n";
 $nsinstance = "nsInstance: ${instance}\n";
 
 $entry = "${dn}${misc}${cn}${nsinstance}${attribute}${vlvattribute}";
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
+$escaped = shellEscape($passwd);
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
 print(FOO "$entry");
 close(FOO);
 $retcode = $?>>8;
diff --git a/ldap/admin/src/scripts/template-db2ldif.pl.in b/ldap/admin/src/scripts/template-db2ldif.pl.in
index febedd4..d1b1f39 100644
--- a/ldap/admin/src/scripts/template-db2ldif.pl.in
+++ b/ldap/admin/src/scripts/template-db2ldif.pl.in
@@ -39,6 +39,9 @@
 # END COPYRIGHT BLOCK
 #
 
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
 sub usage {
 	print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
 	print(STDERR "        {-n instance}* | {-s include}* [{-x exclude}*] \n");
@@ -266,7 +269,8 @@ libpath_add("/usr/lib");
 
 $ENV{'SHLIB_PATH'} = "$ENV{'LD_LIBRARY_PATH'}";
 print("Exporting to ldif file: ${ldiffile}\n");
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
+$escaped = shellEscape($passwd);
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
 print(FOO "$entry");
 close(FOO);
 $retcode = $?>>8;
diff --git a/ldap/admin/src/scripts/template-fixup-linkedattrs.pl.in b/ldap/admin/src/scripts/template-fixup-linkedattrs.pl.in
index 67f0b31..d9dd336 100644
--- a/ldap/admin/src/scripts/template-fixup-linkedattrs.pl.in
+++ b/ldap/admin/src/scripts/template-fixup-linkedattrs.pl.in
@@ -39,6 +39,9 @@
 # END COPYRIGHT BLOCK
 #
 
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
 sub usage {
     print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
     print(STDERR "        [-l linkDN]\n");
@@ -152,7 +155,8 @@ if ($linkdn_arg ne "")
 }
 
 $entry = "${dn}${misc}${cn}${basedn}${linkdn}";
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
+$escaped = shellEscape($passwd);
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
 print(FOO "$entry");
 close(FOO);
 $retcode = $?>>8;
diff --git a/ldap/admin/src/scripts/template-fixup-memberof.pl.in b/ldap/admin/src/scripts/template-fixup-memberof.pl.in
index 77a1528..f05def0 100644
--- a/ldap/admin/src/scripts/template-fixup-memberof.pl.in
+++ b/ldap/admin/src/scripts/template-fixup-memberof.pl.in
@@ -39,6 +39,9 @@
 # END COPYRIGHT BLOCK
 #
 
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
 sub usage {
     print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
     print(STDERR "        -b baseDN [-f filter]\n");
@@ -163,7 +166,8 @@ if ( $filter_arg ne "" )
 }
 
 $entry = "${dn}${misc}${cn}${basedn}${filter}";
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
+$escaped = shellEscape($passwd);
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
 print(FOO "$entry");
 close(FOO);
 $retcode = $?>>8;
diff --git a/ldap/admin/src/scripts/template-ldif2db.pl.in b/ldap/admin/src/scripts/template-ldif2db.pl.in
index 1cf83b4..5fff029 100644
--- a/ldap/admin/src/scripts/template-ldif2db.pl.in
+++ b/ldap/admin/src/scripts/template-ldif2db.pl.in
@@ -39,6 +39,9 @@
 # END COPYRIGHT BLOCK
 #
 
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
 sub usage {
 	print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
 	print(STDERR "        -n instance | {-s include}* [{-x exclude}*] [-O] [-c]\n");
@@ -224,7 +227,8 @@ libpath_add("@nss_libdir@");
 libpath_add("/usr/lib");
 
 $ENV{'SHLIB_PATH'} = "$ENV{'LD_LIBRARY_PATH'}";
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
+$escaped = shellEscape($passwd);
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
 print(FOO "$entry");
 close(FOO);
 $retcode = $?>>8;
diff --git a/ldap/admin/src/scripts/template-ns-accountstatus.pl.in b/ldap/admin/src/scripts/template-ns-accountstatus.pl.in
index 8e2e590..e97d1bc 100644
--- a/ldap/admin/src/scripts/template-ns-accountstatus.pl.in
+++ b/ldap/admin/src/scripts/template-ns-accountstatus.pl.in
@@ -43,6 +43,9 @@
 # SUB-ROUTINES
 ###############################
 
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
 sub usage_and_exit
 {
 	print (STDERR "$cmd [-D rootdn] { -w password | -w - | -j filename } \n");
@@ -110,7 +113,7 @@ sub indirectLock
 
 	my $L_local;
 
-`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `;
+`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `;
 $retCode=$?;
 if ( $retCode != 0 )
 {
@@ -119,13 +122,13 @@ if ( $retCode != 0 )
 }
 
 	# Check if the role is a nested role
-	@L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\"  ";
+	@L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\"  ";
 	# L_isNested == 1 means that we are going through a nested role, so for each member of that
 	# nested role, check that the member is below the scope of the nested
 	$L_isNested=@L_Nested;
 
 	# Not Direct Lock, Go through roles if any
-	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn ";
+	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn ";
 
 	debug("\t-->indirectLock: check if $L_entry is part of a locked role from base $L_base\n\n");
 
@@ -247,7 +250,7 @@ sub memberOf
 	my $L_search;
 	my $L_currentrole;
 
-	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole";
+	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole";
 
 	debug("\t\t-->memberOf: $L_search: check if $L_entry has $L_nsroledn as nsroledn attribute\n");
 
@@ -412,6 +415,7 @@ $defport= "{{SERVER-PORT}}";
 # User values
 $rootdn= "{{ROOT-DN}}";
 $rootpw= "";
+$escaped= "";
 $pwfile= "";
 $host= "{{SERVER-NAME}}";
 $port= "{{SERVER-PORT}}";
@@ -489,11 +493,12 @@ if( $entry eq "" )
 	usage_and_exit();
 }
 
+$escaped = shellEscape($rootpw);
 #
 # Check the actual existence of the entry to inactivate/activate
 # and at the same time, validate the various parm: port, host, rootdn, rootpw
 #
-@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" dn`;
+@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" dn`;
 $retCode1=$?;
 if ( $retCode1 != 0 )
 {
@@ -501,7 +506,7 @@ if ( $retCode1 != 0 )
 	exit $retCode1;
 }
 
-@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`;
+@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`;
 $nbLineRole=@isRole;
 $retCode2=$?;
 if ( $retCode2 != 0 )
@@ -527,7 +532,7 @@ else
 $isLocked=0;
 if ( $single == 1 )
 {
-	$searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock";
+	$searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock";
 	open (LDAP1, "$searchAccountLock |");
 	while (<LDAP1>) {
 		s/\n //g;
@@ -575,7 +580,7 @@ while ($cont == 0)
 	#	ldapsearch -s one -b "cn=mapping tree,cn=config" "cn=\"uid=jvedder,ou=People,o=sun.com\""
 	#
 	debug("\tSuffix from the entry: #@suffixN#\n");
-	@mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `;
+	@mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `;
 
 	$retCode=$?;
 	if ( $retCode != 0 )
@@ -649,7 +654,7 @@ if ( $operation eq "inactivate" )
 		"\'cn=\"cn=nsDisabledRole,@suffixN\",cn=nsAccountInactivationTmp,@suffixN\'",
 		"cn=nsAccountInactivation_cos,@suffixN" );
 
-	$addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c -a >> {{DEV-NULL}} 2>&1 ";
+	$addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c -a >> {{DEV-NULL}} 2>&1 ";
 	@role1=(
 		"dn: cn=nsManagedDisabledRole,@suffixN\n",
 		"objectclass: LDAPsubentry\n",
@@ -818,7 +823,7 @@ elsif ( $operation eq "activate" || $operation eq "get status of" )
 #
 # Inactivate/activate the entry
 #
-$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c >> {{DEV-NULL}} 2>&1";
+$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c >> {{DEV-NULL}} 2>&1";
 if ( $single == 1 )
 {
 	@record=(
diff --git a/ldap/admin/src/scripts/template-ns-activate.pl.in b/ldap/admin/src/scripts/template-ns-activate.pl.in
index 8e2e590..3cc53e9 100644
--- a/ldap/admin/src/scripts/template-ns-activate.pl.in
+++ b/ldap/admin/src/scripts/template-ns-activate.pl.in
@@ -43,6 +43,9 @@
 # SUB-ROUTINES
 ###############################
 
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
 sub usage_and_exit
 {
 	print (STDERR "$cmd [-D rootdn] { -w password | -w - | -j filename } \n");
@@ -110,7 +113,7 @@ sub indirectLock
 
 	my $L_local;
 
-`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `;
+`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `;
 $retCode=$?;
 if ( $retCode != 0 )
 {
@@ -119,13 +122,13 @@ if ( $retCode != 0 )
 }
 
 	# Check if the role is a nested role
-	@L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\"  ";
+	@L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\"  ";
 	# L_isNested == 1 means that we are going through a nested role, so for each member of that
 	# nested role, check that the member is below the scope of the nested
 	$L_isNested=@L_Nested;
 
 	# Not Direct Lock, Go through roles if any
-	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn ";
+	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn ";
 
 	debug("\t-->indirectLock: check if $L_entry is part of a locked role from base $L_base\n\n");
 
@@ -247,7 +250,7 @@ sub memberOf
 	my $L_search;
 	my $L_currentrole;
 
-	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole";
+	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole";
 
 	debug("\t\t-->memberOf: $L_search: check if $L_entry has $L_nsroledn as nsroledn attribute\n");
 
@@ -412,6 +415,7 @@ $defport= "{{SERVER-PORT}}";
 # User values
 $rootdn= "{{ROOT-DN}}";
 $rootpw= "";
+$escaped= "";
 $pwfile= "";
 $host= "{{SERVER-NAME}}";
 $port= "{{SERVER-PORT}}";
@@ -493,7 +497,8 @@ if( $entry eq "" )
 # Check the actual existence of the entry to inactivate/activate
 # and at the same time, validate the various parm: port, host, rootdn, rootpw
 #
-@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" dn`;
+$escaped = shellEscape($rootpw);
+@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" dn`;
 $retCode1=$?;
 if ( $retCode1 != 0 )
 {
@@ -501,7 +506,7 @@ if ( $retCode1 != 0 )
 	exit $retCode1;
 }
 
-@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`;
+@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`;
 $nbLineRole=@isRole;
 $retCode2=$?;
 if ( $retCode2 != 0 )
@@ -527,7 +532,7 @@ else
 $isLocked=0;
 if ( $single == 1 )
 {
-	$searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock";
+	$searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock";
 	open (LDAP1, "$searchAccountLock |");
 	while (<LDAP1>) {
 		s/\n //g;
@@ -575,7 +580,7 @@ while ($cont == 0)
 	#	ldapsearch -s one -b "cn=mapping tree,cn=config" "cn=\"uid=jvedder,ou=People,o=sun.com\""
 	#
 	debug("\tSuffix from the entry: #@suffixN#\n");
-	@mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `;
+	@mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `;
 
 	$retCode=$?;
 	if ( $retCode != 0 )
@@ -649,7 +654,7 @@ if ( $operation eq "inactivate" )
 		"\'cn=\"cn=nsDisabledRole,@suffixN\",cn=nsAccountInactivationTmp,@suffixN\'",
 		"cn=nsAccountInactivation_cos,@suffixN" );
 
-	$addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c -a >> {{DEV-NULL}} 2>&1 ";
+	$addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c -a >> {{DEV-NULL}} 2>&1 ";
 	@role1=(
 		"dn: cn=nsManagedDisabledRole,@suffixN\n",
 		"objectclass: LDAPsubentry\n",
@@ -818,7 +823,7 @@ elsif ( $operation eq "activate" || $operation eq "get status of" )
 #
 # Inactivate/activate the entry
 #
-$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c >> {{DEV-NULL}} 2>&1";
+$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c >> {{DEV-NULL}} 2>&1";
 if ( $single == 1 )
 {
 	@record=(
diff --git a/ldap/admin/src/scripts/template-ns-inactivate.pl.in b/ldap/admin/src/scripts/template-ns-inactivate.pl.in
index 8e2e590..3cc53e9 100644
--- a/ldap/admin/src/scripts/template-ns-inactivate.pl.in
+++ b/ldap/admin/src/scripts/template-ns-inactivate.pl.in
@@ -43,6 +43,9 @@
 # SUB-ROUTINES
 ###############################
 
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
 sub usage_and_exit
 {
 	print (STDERR "$cmd [-D rootdn] { -w password | -w - | -j filename } \n");
@@ -110,7 +113,7 @@ sub indirectLock
 
 	my $L_local;
 
-`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `;
+`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn >> {{DEV-NULL}} 2>&1 `;
 $retCode=$?;
 if ( $retCode != 0 )
 {
@@ -119,13 +122,13 @@ if ( $retCode != 0 )
 }
 
 	# Check if the role is a nested role
-	@L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\"  ";
+	@L_Nested="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=nsNestedRoleDefinition)(objectclass=ldapsubentry))\"  ";
 	# L_isNested == 1 means that we are going through a nested role, so for each member of that
 	# nested role, check that the member is below the scope of the nested
 	$L_isNested=@L_Nested;
 
 	# Not Direct Lock, Go through roles if any
-	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn ";
+	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_base\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsroledn ";
 
 	debug("\t-->indirectLock: check if $L_entry is part of a locked role from base $L_base\n\n");
 
@@ -247,7 +250,7 @@ sub memberOf
 	my $L_search;
 	my $L_currentrole;
 
-	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole";
+	$L_search="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$L_entry\" \"(|(objectclass=*)(objectclass=ldapsubentry))\" nsrole";
 
 	debug("\t\t-->memberOf: $L_search: check if $L_entry has $L_nsroledn as nsroledn attribute\n");
 
@@ -412,6 +415,7 @@ $defport= "{{SERVER-PORT}}";
 # User values
 $rootdn= "{{ROOT-DN}}";
 $rootpw= "";
+$escaped= "";
 $pwfile= "";
 $host= "{{SERVER-NAME}}";
 $port= "{{SERVER-PORT}}";
@@ -493,7 +497,8 @@ if( $entry eq "" )
 # Check the actual existence of the entry to inactivate/activate
 # and at the same time, validate the various parm: port, host, rootdn, rootpw
 #
-@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" dn`;
+$escaped = shellEscape($rootpw);
+@exist=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" dn`;
 $retCode1=$?;
 if ( $retCode1 != 0 )
 {
@@ -501,7 +506,7 @@ if ( $retCode1 != 0 )
 	exit $retCode1;
 }
 
-@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`;
+@isRole=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(&(objectclass=LDAPsubentry)(objectclass=nsRoleDefinition))\" dn`;
 $nbLineRole=@isRole;
 $retCode2=$?;
 if ( $retCode2 != 0 )
@@ -527,7 +532,7 @@ else
 $isLocked=0;
 if ( $single == 1 )
 {
-	$searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock";
+	$searchAccountLock="$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s base -b \"$entry\" \"(objectclass=*)\" nsaccountlock";
 	open (LDAP1, "$searchAccountLock |");
 	while (<LDAP1>) {
 		s/\n //g;
@@ -575,7 +580,7 @@ while ($cont == 0)
 	#	ldapsearch -s one -b "cn=mapping tree,cn=config" "cn=\"uid=jvedder,ou=People,o=sun.com\""
 	#
 	debug("\tSuffix from the entry: #@suffixN#\n");
-	@mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `;
+	@mapping=`$ldapsearch -p $port -h $host -D \"$rootdn\" -w $escaped -s one -b \"cn=mapping tree, cn=config\" \"cn=\\"@suffixN\\"\" cn `;
 
 	$retCode=$?;
 	if ( $retCode != 0 )
@@ -649,7 +654,7 @@ if ( $operation eq "inactivate" )
 		"\'cn=\"cn=nsDisabledRole,@suffixN\",cn=nsAccountInactivationTmp,@suffixN\'",
 		"cn=nsAccountInactivation_cos,@suffixN" );
 
-	$addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c -a >> {{DEV-NULL}} 2>&1 ";
+	$addrolescos="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c -a >> {{DEV-NULL}} 2>&1 ";
 	@role1=(
 		"dn: cn=nsManagedDisabledRole,@suffixN\n",
 		"objectclass: LDAPsubentry\n",
@@ -818,7 +823,7 @@ elsif ( $operation eq "activate" || $operation eq "get status of" )
 #
 # Inactivate/activate the entry
 #
-$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w \"$rootpw\" -c >> {{DEV-NULL}} 2>&1";
+$action="$ldapmodify -p $port -h $host -D \"$rootdn\" -w $escaped -c >> {{DEV-NULL}} 2>&1";
 if ( $single == 1 )
 {
 	@record=(
diff --git a/ldap/admin/src/scripts/template-ns-newpwpolicy.pl.in b/ldap/admin/src/scripts/template-ns-newpwpolicy.pl.in
index bd9b238..a41c342 100755
--- a/ldap/admin/src/scripts/template-ns-newpwpolicy.pl.in
+++ b/ldap/admin/src/scripts/template-ns-newpwpolicy.pl.in
@@ -40,6 +40,7 @@
 #
 
 use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
 
 # enable the use of our bundled perldap with our bundled ldapsdk libraries
 # all of this nonsense can be omitted if the mozldapsdk and perldap are
@@ -112,6 +113,7 @@ sub usage {
 		print (STDERR "Please provide at least -S or -U option.\n\n");
 	}
 
+	$escaped = shellEscape($opt_w);
 	# Now, check if the user/group exists
 
 	if ($opt_S) {
@@ -126,8 +128,8 @@ sub usage {
 			"cn=nsPwPolicy_cos,$opt_S"
 		);
 
-		$ldapadd="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w \"$opt_w\" -c -a 2>&1";
-		$modifyCfg="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w \"$opt_w\" -c 2>&1";
+		$ldapadd="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w $escaped -c -a 2>&1";
+		$modifyCfg="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w $escaped -c 2>&1";
 
 		@container=(
 			"dn: cn=nsPwPolicyContainer,$opt_S\n",
@@ -223,8 +225,8 @@ sub usage {
 			"cn=cn\\=nsPwPolicyEntry\\,$esc_opt_U,cn=nsPwPolicyContainer,$parentDN"
 		);
 
-		$ldapadd="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w \"$opt_w\" -c -a 2>&1";
-		$modifyCfg="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w \"$opt_w\" -c 2>&1";
+		$ldapadd="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w $escaped -c -a 2>&1";
+		$modifyCfg="$ldapmodify -p $opt_p -h $opt_h -D \"$opt_D\" -w $escaped -c 2>&1";
 
 		@container=(
 			"dn: cn=nsPwPolicyContainer,$parentDN\n",
diff --git a/ldap/admin/src/scripts/template-schema-reload.pl.in b/ldap/admin/src/scripts/template-schema-reload.pl.in
index 6b64b5e..96cc48d 100644
--- a/ldap/admin/src/scripts/template-schema-reload.pl.in
+++ b/ldap/admin/src/scripts/template-schema-reload.pl.in
@@ -39,6 +39,9 @@
 # END COPYRIGHT BLOCK
 #
 
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
 sub usage {
     print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
     print(STDERR "        [-d schemadir]\n");
@@ -152,7 +155,8 @@ if ( $schemadir_arg ne "" )
 }
 
 $entry = "${dn}${misc}${cn}${basedn}${schemadir}";
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
+$escaped = shellEscape($passwd);
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
 print(FOO "$entry");
 close(FOO);
 $retcode = $?>>8;
diff --git a/ldap/admin/src/scripts/template-syntax-validate.pl.in b/ldap/admin/src/scripts/template-syntax-validate.pl.in
index b40ef69..6008a2d 100644
--- a/ldap/admin/src/scripts/template-syntax-validate.pl.in
+++ b/ldap/admin/src/scripts/template-syntax-validate.pl.in
@@ -39,6 +39,9 @@
 # END COPYRIGHT BLOCK
 #
 
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
 sub usage {
     print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } \n");
     print(STDERR "        -b baseDN [-f filter]\n");
@@ -163,7 +166,8 @@ if ( $filter_arg ne "" )
 }
 
 $entry = "${dn}${misc}${cn}${basedn}${filter}";
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
+$escaped = shellEscape($passwd);
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
 print(FOO "$entry");
 close(FOO);
 $retcode = $?>>8;
diff --git a/ldap/admin/src/scripts/template-usn-tombstone-cleanup.pl.in b/ldap/admin/src/scripts/template-usn-tombstone-cleanup.pl.in
index 92c106d..928ccc9 100644
--- a/ldap/admin/src/scripts/template-usn-tombstone-cleanup.pl.in
+++ b/ldap/admin/src/scripts/template-usn-tombstone-cleanup.pl.in
@@ -38,6 +38,9 @@
 # END COPYRIGHT BLOCK
 #
 
+use lib qw(@perlpath@);
+use DSUtil qw(shellEscape);
+
 sub usage {
     print(STDERR "Usage: $0 [-v] -D rootdn { -w password | -w - | -j filename } -s suffix | -n backend [ -m maxusn_to_delete ]\n");
     print(STDERR " Opts: -D rootdn           - Directory Manager\n");
@@ -180,7 +183,8 @@ if ( $maxusn_arg ne "" )
 }
 
 $entry = "${dn}${misc}${cn}${basedn}${args}";
-open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
+$escaped = shellEscape($passwd);
+open(FOO, "| ldapmodify @ldaptool_opts@ $vstr -h {{SERVER-NAME}} -p {{SERVER-PORT}} -D \"$rootdn\" -w $escaped -a" );
 print(FOO "$entry");
 close(FOO);
 $retcode = $?>>8;