Bug 275967 - man(1) does not support some special characters in filenames
Summary: man(1) does not support some special characters in filenames
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: Wolfram Schneider
URL: https://reviews.freebsd.org/D43453
Keywords:
Depends on:
Blocks: 275978
  Show dependency treegraph
 
Reported: 2023-12-27 16:37 UTC by Wolfram Schneider
Modified: 2024-02-12 15:49 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfram Schneider freebsd_committer freebsd_triage 2023-12-27 16:37:10 UTC 
The shell script /usr/bin/man does not support some meta shell characters as
"(", "&", ")", ">", "<", "|"; ";"

E.g.

$ cp /usr/share/man/man1/cat.1.gz 'c;t.1.gz'
$ /usr/bin/man "./c;t.1.gz"
gzcat: can't stat: ./c: No such file or directory
eval: t.1.gz: not found
gzcat: can't stat: ./c: No such file or directory
eval: t.1.gz: not found

$ cp /usr/share/man/man1/cat.1.gz 'd(t.1.gz'
$ /usr/bin/man "./d(t.1.gz"
deval: 1: Syntax error: "(" unexpected
Comment 1 commit-hook freebsd_committer freebsd_triage 2023-12-27 17:40:41 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=c4368d03e52c7c97d583ee6b81a59510d371ffbb

commit c4368d03e52c7c97d583ee6b81a59510d371ffbb
Author:     Wolfram Schneider <wosch@FreeBSD.org>
AuthorDate: 2023-12-27 17:35:08 +0000
Commit:     Wolfram Schneider <wosch@FreeBSD.org>
CommitDate: 2023-12-27 17:36:51 +0000

    improve handling of shell metacharacters in filenames

    PR:             275967
    MFC after:      1 week

 usr.bin/man/man.sh | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)
Comment 2 commit-hook freebsd_committer freebsd_triage 2024-01-05 08:19:58 UTC 
A commit in branch stable/14 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=c3c8d1f55d4be3a39696e5692425ae1d9c36bf77

commit c3c8d1f55d4be3a39696e5692425ae1d9c36bf77
Author:     Wolfram Schneider <wosch@FreeBSD.org>
AuthorDate: 2023-12-27 17:35:08 +0000
Commit:     Wolfram Schneider <wosch@FreeBSD.org>
CommitDate: 2024-01-05 08:18:01 +0000

    improve handling of shell metacharacters in filenames

    PR:             275967
    MFC after:      1 week

    (cherry picked from commit c4368d03e52c7c97d583ee6b81a59510d371ffbb)

 usr.bin/man/man.sh | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2024-01-05 08:20:59 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=05daf917987e2e5e29fa0f8a4bfb519f6d2ec953

commit 05daf917987e2e5e29fa0f8a4bfb519f6d2ec953
Author:     Wolfram Schneider <wosch@FreeBSD.org>
AuthorDate: 2023-12-27 17:35:08 +0000
Commit:     Wolfram Schneider <wosch@FreeBSD.org>
CommitDate: 2024-01-05 08:19:10 +0000

    improve handling of shell metacharacters in filenames

    PR:             275967
    MFC after:      1 week

    (cherry picked from commit c4368d03e52c7c97d583ee6b81a59510d371ffbb)

 usr.bin/man/man.sh | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)
Comment 4 Wolfram Schneider freebsd_committer freebsd_triage 2024-01-14 13:37:18 UTC 
Unfortunately, there is another problem with double quotes and sub shell character as '`' '$'

$ cp /usr/share/man/man1/cat.1.gz 'c`t.1.gz'
$ /usr/bin/man './c`t.1.gz'
eval: 1: Syntax error: EOF in backquote substitution
eval: 1: Syntax error: Error in command substitution


I think the problem is the usage of eval "string....". I don't know why we are using eval here and if we really need it.

Using eval for untrusted user input does not make a shell script more secure. It is an easy way to shoot yourself in the foot.
Comment 5 commit-hook freebsd_committer freebsd_triage 2024-01-25 07:21:16 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=b8a484ec343d163a40f7cf4a6026e880f992c738

commit b8a484ec343d163a40f7cf4a6026e880f992c738
Author:     Wolfram Schneider <wosch@FreeBSD.org>
AuthorDate: 2024-01-25 07:14:06 +0000
Commit:     Wolfram Schneider <wosch@FreeBSD.org>
CommitDate: 2024-01-25 07:14:06 +0000

    man: support special characters in filenames

    man.sh needs to handle double quotes and sub shell character
    as '`' '$' etc.

    PR:             275967
    Reviewed by:    bapt

    MFC after:      1 week
    Differential Revision: https://reviews.freebsd.org/D43453

 usr.bin/man/man.sh | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)
Comment 6 commit-hook freebsd_committer freebsd_triage 2024-01-31 15:23:48 UTC 
A commit in branch stable/14 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=47cb760dac09ee10343e58cd46e923f27bd87f9b

commit 47cb760dac09ee10343e58cd46e923f27bd87f9b
Author:     Wolfram Schneider <wosch@FreeBSD.org>
AuthorDate: 2024-01-25 07:14:06 +0000
Commit:     Wolfram Schneider <wosch@FreeBSD.org>
CommitDate: 2024-01-31 14:47:33 +0000

    man: support special characters in filenames

    man.sh needs to handle double quotes and sub shell character
    as '`' '$' etc.

    PR:             275967
    Reviewed by:    bapt

    MFC after:      1 week
    Differential Revision: https://reviews.freebsd.org/D43453

    (cherry picked from commit b8a484ec343d163a40f7cf4a6026e880f992c738)

 usr.bin/man/man.sh | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)
Comment 7 commit-hook freebsd_committer freebsd_triage 2024-02-12 15:49:47 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=fedb7575a9202fae644c8499cfa9579d5765e3df

commit fedb7575a9202fae644c8499cfa9579d5765e3df
Author:     Wolfram Schneider <wosch@FreeBSD.org>
AuthorDate: 2024-01-25 07:14:06 +0000
Commit:     Wolfram Schneider <wosch@FreeBSD.org>
CommitDate: 2024-02-12 15:48:48 +0000

    man: support special characters in filenames

    man.sh needs to handle double quotes and sub shell character
    as '`' '$' etc.

    PR:             275967
    Reviewed by:    bapt

    MFC after:      1 week
    Differential Revision: https://reviews.freebsd.org/D43453

    (cherry picked from commit b8a484ec343d163a40f7cf4a6026e880f992c738)

 usr.bin/man/man.sh | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)