Date: Wed, 9 May 2001 16:03:11 +0200 From: Maxime Henrion <mux@qualys.com> To: audit@FreeBSD.org Cc: Peter Pentchev <roam@orbitel.bg> Subject: Re: chpass patch to disallow non-printable characters in the passwd file Message-ID: <20010509160311.C984@nebula.cybercable.fr> In-Reply-To: <20010509164622.C645@ringworld.oblivion.bg>; from roam@orbitel.bg on Wed, May 09, 2001 at 04:46:22PM %2B0300 References: <20010509131550.A984@nebula.cybercable.fr> <20010509041914.A36212@xor.obsecurity.org> <20010509164622.C645@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
--98e8jtXdkpgskNou Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Peter Pentchev wrote: > On Wed, May 09, 2001 at 04:19:14AM -0700, Kris Kennaway wrote: > > On Wed, May 09, 2001 at 01:15:50PM +0200, Maxime Henrion wrote: > > > Hi, > > > > > > Here is another patch from OpenBSD taken from Kris mailbox. It prevents > > > users from putting non-printable characters in the passwd file. > > > > I'm not sure whether isprint() is the canonical way to check this in > > the face of different locales. Can someone confirm the correct way to > > do this? > > isprint() does honor locales, if setlocale() is called in advance. > So this fix is proper, but not enough - there must be a call to > setlocale(LC_ALL, ""), and a good place for it would be the start of main, > even before the getopt() call, as done by a lot of other base system tools. > > G'luck, > Peter OK, here is a new patch with the missing setlocale() call. I did a setlocale(LC_CTYPE, "") as it's only used for the ctype.h functions. Maxime -- Don't be fooled by cheap finnish imitations ; BSD is the One True Code Key fingerprint = F9B6 1D5A 4963 331C 88FC CA6A AB50 1EF2 8CBE 99D6 Public Key : http://www.epita.fr/~henrio_m/ --98e8jtXdkpgskNou Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="chpass.diff" diff -c /usr/src/usr.bin/chpass/chpass.c ./chpass.c *** /usr/src/usr.bin/chpass/chpass.c Sat Apr 28 01:14:31 2001 --- ./chpass.c Wed May 9 15:59:24 2001 *************** *** 53,58 **** --- 53,59 ---- #include <err.h> #include <errno.h> #include <fcntl.h> + #include <locale.h> #include <pwd.h> #include <stdio.h> #include <stdlib.h> *************** *** 92,97 **** --- 93,99 ---- int force_yp = 0; #endif + setlocale(LC_CTYPE, ""); op = EDITENTRY; #ifdef YP while ((ch = getopt(argc, argv, "a:p:s:e:d:h:oly")) != -1) diff -c /usr/src/usr.bin/chpass/edit.c ./edit.c *** /usr/src/usr.bin/chpass/edit.c Wed Sep 6 20:16:46 2000 --- ./edit.c Wed May 9 13:12:05 2001 *************** *** 184,193 **** struct passwd *pw; { ENTRY *ep; ! char *p; struct stat sb; FILE *fp; ! int len, line; static char buf[LINE_MAX]; if (!(fp = fopen(tempname, "r"))) --- 184,193 ---- struct passwd *pw; { ENTRY *ep; ! char *p, *q; struct stat sb; FILE *fp; ! unsigned int len, line; static char buf[LINE_MAX]; if (!(fp = fopen(tempname, "r"))) *************** *** 225,231 **** goto bad; } while (isspace(*++p)); ! if (ep->except && strpbrk(p, ep->except)) { warnx( "illegal character in the \"%s\" field", ep->prompt); --- 225,235 ---- goto bad; } while (isspace(*++p)); ! for (q = p; *q && isprint(*q); q++) { ! if (ep->except && strchr(ep->except, *q)) ! break; ! } ! if (*q) { warnx( "illegal character in the \"%s\" field", ep->prompt); --98e8jtXdkpgskNou-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010509160311.C984>