ports/70618: print/a2ps-* using "file -L %s" as shell argument --> dangerous to use it in world-writable directories

Wed Aug 18 16:10:31 UTC 2004

The following reply was made to PR ports/70618; it has been noted by GNATS.

From: freebsd-dr at durchnull.de
To: freebsd-gnats-submit at FreeBSD.org, freebsd-dr at durchnull.de
Cc:  
Subject: Re: ports/70618: print/a2ps-* using "file -L %s" as shell argument --> dangerous to use it in world-writable directories
Date: 18 Aug 2004 16:00:46 -0000

 The patch has a bug in the handling of a NULL return value of malloc.
 Here is a "better" patch:

 diff -ru ../a2ps-4.13.orig/src/select.c ./src/select.c
 --- ../a2ps-4.13.orig/src/select.c	Wed Aug 18 16:32:09 2004
 +++ ./src/select.c	Wed Aug 18 16:49:12 2004
 @@ -131,6 +131,36 @@
    return 1;
  }

 +/* escapes the name of a file so that the shell groks it in 'single' q.marks. 
 +   The resulting pointer has to be free()ed when not longer used. */
 +char *
 +shell_escape(const char *fn)
 +{
 +  size_t len = 0;
 +  const char *inp;
 +  char *retval, *outp;
 +
 +  for(inp = fn; *inp; ++inp)
 +    switch(*inp)
 +    {
 +      case '\'': len += 4; break;
 +      default:   len += 1; break;
 +    }
 +
 +  outp = retval = malloc(len + 1);
 +  if(!outp)
 +    return NULL; /* perhaps one should do better error handling here */
 +  for(inp = fn; *inp; ++inp)
 +    switch(*inp)
 +    {
 +      case '\'': *outp++ = '\''; *outp++ = '\\'; *outp++ = '\'', *outp++ = '\''; break;
 +      default:   *outp++ = *inp; break;
 +    }
 +  *outp = 0;
 +
 +  return retval;
 +}
 +
  /* What says file about the type of a file (result is malloc'd).  NULL
    if could not be run.  */

 @@ -144,11 +174,15 @@
    if (IS_EMPTY (job->file_command))
      return NULL;

 +  filename = shell_escape(filename);
 +  if(filename == NULL)
 +    return NULL;
    /* Call file(1) with the correct option */
 -  command = ALLOCA (char, (2
 +  command = ALLOCA (char, (4
  			   + strlen (job->file_command)
  			   + ustrlen (filename)));
 -  sprintf (command, "%s %s", job->file_command, (const char *) filename);
 +  sprintf (command, "%s '%s'", job->file_command, (const char *) filename);
 +  free(filename);
    message (msg_tool, (stderr, "Reading pipe: `%s'\n", command));
    file_out = popen (command, "r");