From owner-freebsd-stable  Mon Dec 20 12:15:34 1999
Delivered-To: freebsd-stable@freebsd.org
Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10])
	by hub.freebsd.org (Postfix) with ESMTP id AF47514E52
	for <stable@FreeBSD.ORG>; Mon, 20 Dec 1999 12:15:30 -0800 (PST)
	(envelope-from jeremyp@gsmx07.alcatel.com.au)
Received: by border.alcanet.com.au id <40331>; Tue, 21 Dec 1999 07:05:26 +1100
Content-return: prohibited
Date: Tue, 21 Dec 1999 07:14:08 +1100
From: Peter Jeremy <peter.jeremy@alcatel.com.au>
Subject: Re: edquota problem
In-reply-to: <Pine.BSF.3.96.991219215559.10149C-100000@workhorse.iMach.com>;
 from forrestc@iMach.com on Mon, Dec 20, 1999 at 04:06:19PM +1100
To: "Forrest W. Christian" <forrestc@iMach.com>
Cc: stable@FreeBSD.ORG
Message-Id: <99Dec21.070526est.40331@border.alcanet.com.au>
MIME-version: 1.0
X-Mailer: Mutt 1.0i
Content-type: text/plain; charset=us-ascii
References: <Pine.BSF.3.96.991219215559.10149C-100000@workhorse.iMach.com>
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On 1999-Dec-20 16:06:19 +1100, "Forrest W. Christian" <forrestc@iMach.com> wrote:
>Specifically the code which determines whether the parameter is a username
>or a range of uids only checks for a) whether the first character of the
>parameter is a number and b) whether there is a dash in the parameter.

This is definitely wrong.  Input parameters should be properly checked
for validity.

IMHO, checking the parameter against the password file first, and
then checking if it's all numeric (or a range) is probably the more
reasonable approach, though this is a more complex fix.

>Alternatively, providing a switch to force one way or the other would be
>ok also.

I don't like this idea.

>I would patch the code and submit a fix if I knew what people thought the
>best way to fix this is, or if even people think that it should be changed
>at all.

It _should_ be fixed.  The simpler fix would replace the existing test
and atoi()'s with something like:

	if (isdigit(*argv[0]) &&
	    (startuid = strtol(*argv, &cp, 10)) >= 0 && *cp++ == '-' &&
	    isdigit(*cp) && (enduid = strtol(cp, &cp, 10)) >= 0 && !*cp) {

I'd pick whichever option you prefer and include it in a PR.  If whoever
looks at the PR doesn't agree, they can always do it another way.

Peter


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message