Date: Tue, 21 Dec 1999 07:14:08 +1100 From: Peter Jeremy <peter.jeremy@alcatel.com.au> To: "Forrest W. Christian" <forrestc@iMach.com> Cc: stable@FreeBSD.ORG Subject: Re: edquota problem Message-ID: <99Dec21.070526est.40331@border.alcanet.com.au> In-Reply-To: <Pine.BSF.3.96.991219215559.10149C-100000@workhorse.iMach.com>; from forrestc@iMach.com on Mon, Dec 20, 1999 at 04:06:19PM %2B1100 References: <Pine.BSF.3.96.991219215559.10149C-100000@workhorse.iMach.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1999-Dec-20 16:06:19 +1100, "Forrest W. Christian" <forrestc@iMach.com> wrote:
>Specifically the code which determines whether the parameter is a username
>or a range of uids only checks for a) whether the first character of the
>parameter is a number and b) whether there is a dash in the parameter.
This is definitely wrong. Input parameters should be properly checked
for validity.
IMHO, checking the parameter against the password file first, and
then checking if it's all numeric (or a range) is probably the more
reasonable approach, though this is a more complex fix.
>Alternatively, providing a switch to force one way or the other would be
>ok also.
I don't like this idea.
>I would patch the code and submit a fix if I knew what people thought the
>best way to fix this is, or if even people think that it should be changed
>at all.
It _should_ be fixed. The simpler fix would replace the existing test
and atoi()'s with something like:
if (isdigit(*argv[0]) &&
(startuid = strtol(*argv, &cp, 10)) >= 0 && *cp++ == '-' &&
isdigit(*cp) && (enduid = strtol(cp, &cp, 10)) >= 0 && !*cp) {
I'd pick whichever option you prefer and include it in a PR. If whoever
looks at the PR doesn't agree, they can always do it another way.
Peter
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?99Dec21.070526est.40331>