Bug 167744 - [patch] adduser(8): enclose with double quotes: $_input --> "$_input"
Summary: [patch] adduser(8): enclose with double quotes: $_input --> "$_input"
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 8.2-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-05-09 17:30 UTC by Norihiko Murase
Modified: 2018-01-03 05:16 UTC (History)
0 users

See Also:


Attachments
file.diff (1.90 KB, patch)
2012-05-09 17:30 UTC, Norihiko Murase
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Norihiko Murase 2012-05-09 17:30:05 UTC
In the shell script 'adduser' (/usr/sbin/adduser), the value of shell 
variable "_input" is used WITHOUT double quotes in several places. 
This is NOT SAFE. You should replace them as follows:
  (before) $_input
   (after) "$_input"

Fix: Apply the patch attached, which solves this (potential) problem by 
modifying the shell script 'adduser' (/usr/sbin/adduser).


Patch attached with submission follows:
How-To-Repeat: This kind of difference (the lack of the double quotes) comes to a head
at least when the vaule includes a white space (` ').
# Example:
# when you specify the value with a white space as as the username.
Comment 1 Eitan Adler freebsd_committer freebsd_triage 2012-05-09 20:19:20 UTC
Responsible Changed
From-To: freebsd-bugs->eadler

I'll take it.
Comment 2 Jilles Tjoelker freebsd_committer 2012-05-11 18:57:23 UTC
> [usr.sbin/adduser/adduser.sh lets sh split user input inappropriately]

If you are worried about spaces in user names, it also seems appropriate
to check for them (and other disallowed characters such as ',' and ':')
and reject such input.

A quick look finds some more places with missing quotes, like
	[ -z "$configflag" ] && printf "%-10s : %s\n" Username $username
on line 792.

On the other hand, the patch also adds quotes where they are
inconsequential. In lines like
	uuid=$_input
and
	case $_input in
the quotes are not needed because word splitting does not happen in such
contexts anyway (assignment and second word of case statement). Existing
code varies in adding or not adding unnecessary quotes in places like
these.

Note that things like export a="$b" do not count as an assignment for
this; they need the quotes except if bin/166771 is committed.

-- 
Jilles Tjoelker
Comment 3 Eitan Adler freebsd_committer freebsd_triage 2012-11-08 20:54:43 UTC
Responsible Changed
From-To: eadler->freebsd-bugs

I won't be dealing with this PR for some time, so give it back to the 
pool
Comment 4 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:59:59 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped