In the shell script 'adduser' (/usr/sbin/adduser), the value of shell variable "_input" is used WITHOUT double quotes in several places. This is NOT SAFE. You should replace them as follows: (before) $_input (after) "$_input" Fix: Apply the patch attached, which solves this (potential) problem by modifying the shell script 'adduser' (/usr/sbin/adduser). Patch attached with submission follows: How-To-Repeat: This kind of difference (the lack of the double quotes) comes to a head at least when the vaule includes a white space (` '). # Example: # when you specify the value with a white space as as the username.
Responsible Changed From-To: freebsd-bugs->eadler I'll take it.
> [usr.sbin/adduser/adduser.sh lets sh split user input inappropriately] If you are worried about spaces in user names, it also seems appropriate to check for them (and other disallowed characters such as ',' and ':') and reject such input. A quick look finds some more places with missing quotes, like [ -z "$configflag" ] && printf "%-10s : %s\n" Username $username on line 792. On the other hand, the patch also adds quotes where they are inconsequential. In lines like uuid=$_input and case $_input in the quotes are not needed because word splitting does not happen in such contexts anyway (assignment and second word of case statement). Existing code varies in adding or not adding unnecessary quotes in places like these. Note that things like export a="$b" do not count as an assignment for this; they need the quotes except if bin/166771 is committed. -- Jilles Tjoelker
Responsible Changed From-To: eadler->freebsd-bugs I won't be dealing with this PR for some time, so give it back to the pool
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped
Keyword: patch or patch-ready – in lieu of summary line prefix: [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk). Keyword descriptions and search interface: <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>