bin/167744: [patch] /usr/sbin/adduser: enclose with double quotes:
$_input --> "$_input"
Norihiko Murase
mur1080224 at inter7.jp
Wed May 9 16:30:06 UTC 2012
>Number: 167744
>Category: bin
>Synopsis: [patch] /usr/sbin/adduser: enclose with double quotes: $_input --> "$_input"
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed May 09 16:30:05 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Norihiko Murase
>Release: FreeBSD 8.2-RELEASE i386
>Organization:
>Environment:
>Description:
In the shell script 'adduser' (/usr/sbin/adduser), the value of shell
variable "_input" is used WITHOUT double quotes in several places.
This is NOT SAFE. You should replace them as follows:
(before) $_input
(after) "$_input"
>How-To-Repeat:
This kind of difference (the lack of the double quotes) comes to a head
at least when the vaule includes a white space (` ').
# Example:
# when you specify the value with a white space as as the username.
>Fix:
Apply the patch attached, which solves this (potential) problem by
modifying the shell script 'adduser' (/usr/sbin/adduser).
Patch attached with submission follows:
--- adduser.orig 2011-02-18 01:51:54.000000000 +0000
+++ adduser 2012-05-09 23:04:00.000000000 +0000
@@ -362,7 +362,7 @@
err "You must enter a username!"
[ -z "$fflag" ] && continue
fi
- ${PWCMD} usershow $_input > /dev/null 2>&1
+ ${PWCMD} usershow "$_input" > /dev/null 2>&1
if [ "$?" -eq 0 ]; then
err "User exists!"
[ -z "$fflag" ] && continue
@@ -419,7 +419,7 @@
if [ -n "$Sflag" ]; then
ushell="$_input"
else
- _fullpath=`fullpath_from_shell $_input`
+ _fullpath=`fullpath_from_shell "$_input"`
if [ -n "$_fullpath" ]; then
ushell="$_fullpath"
else
@@ -500,7 +500,7 @@
_input="`echo "$fileline" | cut -f2 -d:`"
fi
- [ -n "$_input" ] && uuid=$_input
+ [ -n "$_input" ] && uuid="$_input"
uuid=`get_nextuid $uuid`
uidstart=$uuid
}
@@ -707,7 +707,7 @@
echo -n "Use password-based authentication? [$_usepass]: "
read _input
[ -z "$_input" ] && _input=$_usepass
- case $_input in
+ case "$_input" in
[Nn][Oo]|[Nn])
passwdtype="no"
;;
@@ -715,7 +715,7 @@
while : ; do
echo -n "Use an empty password? (yes/no) [$_emptypass]: "
read _input
- [ -n "$_input" ] && _emptypass=$_input
+ [ -n "$_input" ] && _emptypass="$_input"
case $_emptypass in
[Nn][Oo]|[Nn])
echo -n "Use a random password? (yes/no) [$_random]: "
@@ -771,7 +771,7 @@
echo -n "Lock out the account after creation? [$_disable]: "
read _input
[ -z "$_input" ] && _input=$_disable
- case $_input in
+ case "$_input" in
[Nn][Oo]|[Nn])
disableflag=
;;
@@ -818,7 +818,7 @@
while : ; do
echo -n "OK? (yes/no): "
read _input
- case $_input in
+ case "$_input" in
[Nn][Oo]|[Nn])
return 1
;;
@@ -1034,7 +1034,7 @@
echo -n "Re-edit the default configuration? (yes/no): "
fi
read _input
- case $_input in
+ case "$_input" in
[Yy][Ee][Ss]|[Yy][Ee]|[Yy])
uidstart=`get_nextuid $uidstart`
input_interactive
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list