From owner-freebsd-bugs Fri Jan 25 18:30: 6 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 7F3BE37B416 for ; Fri, 25 Jan 2002 18:30:01 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g0Q2U1F97688; Fri, 25 Jan 2002 18:30:01 -0800 (PST) (envelope-from gnats) Date: Fri, 25 Jan 2002 18:30:01 -0800 (PST) Message-Id: <200201260230.g0Q2U1F97688@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: hsaka@mth.biglobe.ne.jp (Hironori Sakamoto) Subject: Re: misc/34270: man -k could be used to execute any command. Reply-To: hsaka@mth.biglobe.ne.jp (Hironori Sakamoto) Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following reply was made to PR misc/34270; it has been noted by GNATS. From: hsaka@mth.biglobe.ne.jp (Hironori Sakamoto) To: freebsd-gnats-submit@freebsd.org Cc: hsaka@mth.biglobe.ne.jp, mike_makonnen@yahoo.com Subject: Re: misc/34270: man -k could be used to execute any command. Date: Sat, 26 Jan 2002 11:20:49 +0900 (JST) Hello, > From: Mike Makonnen > > >Fix: > > In do_apropos() in man/man.c, apropos name is only quoted with `"'. > > sprintf (command, "%s \"%s\"", APROPOS, name); > > Any special characters for /bin/sh should be escaped with `\'. > I think the command should be single quoted instead of double quoted. > - sprintf (command, "%s \"%s\"", APROPOS, name); > + sprintf (command, "%s \'%s\'", APROPOS, name); No! It has the same problem. $ man -k "echo '; ls'" ------------------------------------------- Hironori SAKAMOTO http://www2u.biglobe.ne.jp/~hsaka/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message