Date: Wed, 18 Aug 2004 16:10:31 GMT From: freebsd-dr@durchnull.de To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/70618: print/a2ps-* using "file -L %s" as shell argument --> dangerous to use it in world-writable directories Message-ID: <200408181610.i7IGAVwt040054@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/70618; it has been noted by GNATS. From: freebsd-dr@durchnull.de To: freebsd-gnats-submit@FreeBSD.org, freebsd-dr@durchnull.de Cc: Subject: Re: ports/70618: print/a2ps-* using "file -L %s" as shell argument --> dangerous to use it in world-writable directories Date: 18 Aug 2004 16:00:46 -0000 The patch has a bug in the handling of a NULL return value of malloc. Here is a "better" patch: diff -ru ../a2ps-4.13.orig/src/select.c ./src/select.c --- ../a2ps-4.13.orig/src/select.c Wed Aug 18 16:32:09 2004 +++ ./src/select.c Wed Aug 18 16:49:12 2004 @@ -131,6 +131,36 @@ return 1; } +/* escapes the name of a file so that the shell groks it in 'single' q.marks. + The resulting pointer has to be free()ed when not longer used. */ +char * +shell_escape(const char *fn) +{ + size_t len = 0; + const char *inp; + char *retval, *outp; + + for(inp = fn; *inp; ++inp) + switch(*inp) + { + case '\'': len += 4; break; + default: len += 1; break; + } + + outp = retval = malloc(len + 1); + if(!outp) + return NULL; /* perhaps one should do better error handling here */ + for(inp = fn; *inp; ++inp) + switch(*inp) + { + case '\'': *outp++ = '\''; *outp++ = '\\'; *outp++ = '\'', *outp++ = '\''; break; + default: *outp++ = *inp; break; + } + *outp = 0; + + return retval; +} + /* What says file about the type of a file (result is malloc'd). NULL if could not be run. */ @@ -144,11 +174,15 @@ if (IS_EMPTY (job->file_command)) return NULL; + filename = shell_escape(filename); + if(filename == NULL) + return NULL; /* Call file(1) with the correct option */ - command = ALLOCA (char, (2 + command = ALLOCA (char, (4 + strlen (job->file_command) + ustrlen (filename))); - sprintf (command, "%s %s", job->file_command, (const char *) filename); + sprintf (command, "%s '%s'", job->file_command, (const char *) filename); + free(filename); message (msg_tool, (stderr, "Reading pipe: `%s'\n", command)); file_out = popen (command, "r");
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200408181610.i7IGAVwt040054>