bin/167744: [patch] /usr/sbin/adduser: enclose with double quotes: $_input --> "$_input"

Norihiko Murase mur1080224 at inter7.jp
Wed May 9 16:30:06 UTC 2012


>Number:         167744
>Category:       bin
>Synopsis:       [patch] /usr/sbin/adduser: enclose with double quotes: $_input --> "$_input"
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed May 09 16:30:05 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Norihiko Murase
>Release:        FreeBSD 8.2-RELEASE i386
>Organization:
>Environment:
>Description:
In the shell script 'adduser' (/usr/sbin/adduser), the value of shell 
variable "_input" is used WITHOUT double quotes in several places. 
This is NOT SAFE. You should replace them as follows:
  (before) $_input
   (after) "$_input"

>How-To-Repeat:
This kind of difference (the lack of the double quotes) comes to a head
at least when the vaule includes a white space (` ').
# Example:
# when you specify the value with a white space as as the username.

>Fix:
Apply the patch attached, which solves this (potential) problem by 
modifying the shell script 'adduser' (/usr/sbin/adduser).


Patch attached with submission follows:

--- adduser.orig	2011-02-18 01:51:54.000000000 +0000
+++ adduser	2012-05-09 23:04:00.000000000 +0000
@@ -362,7 +362,7 @@
 			err "You must enter a username!"
 			[ -z "$fflag" ] && continue
 		fi
-		${PWCMD} usershow $_input > /dev/null 2>&1
+		${PWCMD} usershow "$_input" > /dev/null 2>&1
 		if [ "$?" -eq 0 ]; then
 			err "User exists!"
 			[ -z "$fflag" ] && continue
@@ -419,7 +419,7 @@
 		if [ -n "$Sflag" ]; then
 			ushell="$_input"
 		else
-			_fullpath=`fullpath_from_shell $_input`
+			_fullpath=`fullpath_from_shell "$_input"`
 			if [ -n "$_fullpath" ]; then
 				ushell="$_fullpath"
 			else
@@ -500,7 +500,7 @@
 		_input="`echo "$fileline" | cut -f2 -d:`"
 	fi
 
-	[ -n "$_input" ] && uuid=$_input
+	[ -n "$_input" ] && uuid="$_input"
 	uuid=`get_nextuid $uuid`
 	uidstart=$uuid
 }
@@ -707,7 +707,7 @@
 		echo -n "Use password-based authentication? [$_usepass]: "
 		read _input
 		[ -z "$_input" ] && _input=$_usepass
-		case $_input in
+		case "$_input" in
 		[Nn][Oo]|[Nn])
 			passwdtype="no"
 			;;
@@ -715,7 +715,7 @@
 			while : ; do
 				echo -n "Use an empty password? (yes/no) [$_emptypass]: "
 				read _input
-				[ -n "$_input" ] && _emptypass=$_input
+				[ -n "$_input" ] && _emptypass="$_input"
 				case $_emptypass in
 				[Nn][Oo]|[Nn])
 					echo -n "Use a random password? (yes/no) [$_random]: "
@@ -771,7 +771,7 @@
 		echo -n "Lock out the account after creation? [$_disable]: "
 		read _input
 		[ -z "$_input" ] && _input=$_disable
-		case $_input in
+		case "$_input" in
 		[Nn][Oo]|[Nn])
 			disableflag=
 			;;
@@ -818,7 +818,7 @@
 	while : ; do
 		echo -n "OK? (yes/no): "
 		read _input
-		case $_input in
+		case "$_input" in
 		[Nn][Oo]|[Nn])
 			return 1
 			;;
@@ -1034,7 +1034,7 @@
 			echo -n "Re-edit the default configuration? (yes/no): "
 		fi
 		read _input
-		case $_input in
+		case "$_input" in
 		[Yy][Ee][Ss]|[Yy][Ee]|[Yy])
 			uidstart=`get_nextuid $uidstart`
 			input_interactive


>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list