From owner-freebsd-audit Wed May 9 4:19:23 2001 Delivered-To: freebsd-audit@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-108.dsl.lsan03.pacbell.net [63.207.60.108]) by hub.freebsd.org (Postfix) with ESMTP id 7F92737B423; Wed, 9 May 2001 04:19:15 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 163AE678BA; Wed, 9 May 2001 04:19:15 -0700 (PDT) Date: Wed, 9 May 2001 04:19:14 -0700 From: Kris Kennaway To: Maxime Henrion Cc: audit@FreeBSD.ORG, freebsd-i18n@FreeBSD.org Subject: Re: chpass patch to disallow non-printable characters in the passwd file Message-ID: <20010509041914.A36212@xor.obsecurity.org> References: <20010509131550.A984@nebula.cybercable.fr> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="45Z9DzgjV8m4Oswq" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010509131550.A984@nebula.cybercable.fr>; from mux@qualys.com on Wed, May 09, 2001 at 01:15:50PM +0200 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --45Z9DzgjV8m4Oswq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 09, 2001 at 01:15:50PM +0200, Maxime Henrion wrote: > Hi, >=20 > Here is another patch from OpenBSD taken from Kris mailbox. It prevents > users from putting non-printable characters in the passwd file. I'm not sure whether isprint() is the canonical way to check this in the face of different locales. Can someone confirm the correct way to do this? Kris >=20 > Maxime > --=20 > Don't be fooled by cheap finnish imitations ; BSD is the One True Code > Key fingerprint =3D F9B6 1D5A 4963 331C 88FC CA6A AB50 1EF2 8CBE 99D6 > Public Key : http://www.epita.fr/~henrio_m/ > *** /usr/src/usr.bin/chpass/edit.c Wed Sep 6 20:16:46 2000 > --- edit.c Wed May 9 13:12:05 2001 > *************** > *** 184,193 **** > struct passwd *pw; > { > ENTRY *ep; > ! char *p; > struct stat sb; > FILE *fp; > ! int len, line; > static char buf[LINE_MAX]; > =20 > if (!(fp =3D fopen(tempname, "r"))) > --- 184,193 ---- > struct passwd *pw; > { > ENTRY *ep; > ! char *p, *q; > struct stat sb; > FILE *fp; > ! unsigned int len, line; > static char buf[LINE_MAX]; > =20 > if (!(fp =3D fopen(tempname, "r"))) > *************** > *** 225,231 **** > goto bad; > } > while (isspace(*++p)); > ! if (ep->except && strpbrk(p, ep->except)) { > warnx( > "illegal character in the \"%s\" field", > ep->prompt); > --- 225,235 ---- > goto bad; > } > while (isspace(*++p)); > ! for (q =3D p; *q && isprint(*q); q++) { > ! if (ep->except && strchr(ep->except, *q)) > ! break; > ! } > ! if (*q) { > warnx( > "illegal character in the \"%s\" field", > ep->prompt); --45Z9DzgjV8m4Oswq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6+SeyWry0BWjoQKURAkMPAKDNwBU45ER+s3/ny8MoCYlSgDamJgCdHOJx OAIS5Sg10yG5G2ZaXoX8rOE= =BHX0 -----END PGP SIGNATURE----- --45Z9DzgjV8m4Oswq-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message