Date: Tue, 12 May 2026 10:15:21 +0200 From: Baptiste Daroussin <bapt@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: 8b70a203be10 - main - nuageinit: fix command injection and related issues Message-ID: <agLhIeG-KtacodaC@b.nours.eu> In-Reply-To: <6a02dc5c.24b1f.734d8e95@gitrepo.freebsd.org>
index | next in thread | previous in thread | raw e-mail
On Tue 12 May 07:53, Baptiste Daroussin wrote: > The branch main has been updated by bapt: > > URL: https://cgit.FreeBSD.org/src/commit/?id=8b70a203be10411c560ed303ab25713d70b316e9 > > commit 8b70a203be10411c560ed303ab25713d70b316e9 > Author: Baptiste Daroussin <bapt@FreeBSD.org> > AuthorDate: 2026-05-07 18:22:14 +0000 > Commit: Baptiste Daroussin <bapt@FreeBSD.org> > CommitDate: 2026-05-12 07:52:32 +0000 > > nuageinit: fix command injection and related issues > > - Add shell_escape() helper to safely escape shell arguments > - Apply shell_escape to all user-controlled values in shell commands: > adduser (usershow, useradd, lock, primary_group, groups) > addgroup (groupshow, groupadd, members) > exec_change_password (usermod) > settimezone (tzsetup root and timezone) > install_package (pkg package names) > - Escape double quotes in hostname when writing rc.conf.d/hostname > - Add missing 'local' declaration for resolvconf_command in nameservers() > - Escape interface name in resolvconf -a command > - Change open_resolvconf_conf() from 'w' to 'a' mode to prevent > data loss when nameservers() is called multiple times > - Clean up stale resolvconf.conf at the start of each boot > (skip on postnet to preserve config written by first call) > > MFC After: 1 day Part of this has been reported by: Yazdan Soltani <yazdan.soltani@gmail.com> sorry I forgot to mention. Best regards, Bapthome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?agLhIeG-KtacodaC>