From owner-freebsd-bugs@freebsd.org  Fri Jan  5 22:41:40 2018
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E1BADEC5AA2
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Fri,  5 Jan 2018 22:41:40 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id CD6AB36B1
 for <freebsd-bugs@FreeBSD.org>; Fri,  5 Jan 2018 22:41:40 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w05Mfeng045302
 for <freebsd-bugs@FreeBSD.org>; Fri, 5 Jan 2018 22:41:40 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w05MfesT045301
 for freebsd-bugs@FreeBSD.org; Fri, 5 Jan 2018 22:41:40 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: freebsd-bugs@FreeBSD.org
Subject: [Bug 224556] pw(8) does not check semantics of name
Date: Fri, 05 Jan 2018 22:41:40 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: bin
X-Bugzilla-Version: 11.1-STABLE
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Many People
X-Bugzilla-Who: bernard.steiner@de.lahmeyer.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-224556-8-Qtm3Cx65qE@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-224556-8@https.bugs.freebsd.org/bugzilla/>
References: <bug-224556-8@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jan 2018 22:41:41 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D224556

--- Comment #2 from Bernard Steiner <bernard.steiner@de.lahmeyer.com> ---
(In reply to Brooks Davis from comment #1)
Yes, no checking for dots.
Using solely this list of forbidden characters, one can still construct the
user names "." and ".." and "pw useradd .." does The Evil Thing.
(I Did This, but then refrained from using pw userdel for the obvious reaso=
n.)
I would argue that passing garbage for "-d dir" is different in that the
checking of the garbage is up to the invoker of the command.

--=20
You are receiving this mail because:
You are the assignee for the bug.=