In the shell script 'adduser' (/usr/sbin/adduser), the value of shell
variable "_input" is used WITHOUT double quotes in several places.
This is NOT SAFE. You should replace them as follows:
Fix: Apply the patch attached, which solves this (potential) problem by
modifying the shell script 'adduser' (/usr/sbin/adduser).
Patch attached with submission follows:
How-To-Repeat: This kind of difference (the lack of the double quotes) comes to a head
at least when the vaule includes a white space (` ').
# when you specify the value with a white space as as the username.
I'll take it.
> [usr.sbin/adduser/adduser.sh lets sh split user input inappropriately]
If you are worried about spaces in user names, it also seems appropriate
to check for them (and other disallowed characters such as ',' and ':')
and reject such input.
A quick look finds some more places with missing quotes, like
[ -z "$configflag" ] && printf "%-10s : %s\n" Username $username
on line 792.
On the other hand, the patch also adds quotes where they are
inconsequential. In lines like
case $_input in
the quotes are not needed because word splitting does not happen in such
contexts anyway (assignment and second word of case statement). Existing
code varies in adding or not adding unnecessary quotes in places like
Note that things like export a="$b" do not count as an assignment for
this; they need the quotes except if bin/166771 is committed.
I won't be dealing with this PR for some time, so give it back to the
For bugs matching the following criteria:
Status: In Progress Changed: (is less than) 2014-06-01
Reset to default assignee and clear in-progress tags.
Mail being skipped