167744 – [patch] adduser(8): enclose with double quotes: $_input --> "$_input"

Bug 167744 - [patch] adduser(8): enclose with double quotes: $_input --> "$_input"

Summary: [patch] adduser(8): enclose with double quotes: $_input --> "$_input"

Status:	Open

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	8.2-RELEASE
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:	patch

Depends on:
Blocks:

Reported:	2012-05-09 17:30 UTC by Norihiko Murase
Modified:	2022-10-17 12:36 UTC (History)
CC List:	0 users

See Also:

Attachments
file.diff (1.90 KB, patch) 2012-05-09 17:30 UTC, Norihiko Murase	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Norihiko Murase 2012-05-09 17:30:05 UTC

In the shell script 'adduser' (/usr/sbin/adduser), the value of shell 
variable "_input" is used WITHOUT double quotes in several places. 
This is NOT SAFE. You should replace them as follows:
  (before) $_input
   (after) "$_input"

Fix: Apply the patch attached, which solves this (potential) problem by 
modifying the shell script 'adduser' (/usr/sbin/adduser).


Patch attached with submission follows:
How-To-Repeat: This kind of difference (the lack of the double quotes) comes to a head
at least when the vaule includes a white space (` ').
# Example:
# when you specify the value with a white space as as the username.

Comment 1 Eitan Adler freebsd_committer

2012-05-09 20:19:20 UTC

Responsible Changed
From-To: freebsd-bugs->eadler

I'll take it.

Comment 2 Jilles Tjoelker freebsd_committer

2012-05-11 18:57:23 UTC

> [usr.sbin/adduser/adduser.sh lets sh split user input inappropriately]

If you are worried about spaces in user names, it also seems appropriate
to check for them (and other disallowed characters such as ',' and ':')
and reject such input.

A quick look finds some more places with missing quotes, like
	[ -z "$configflag" ] && printf "%-10s : %s\n" Username $username
on line 792.

On the other hand, the patch also adds quotes where they are
inconsequential. In lines like
	uuid=$_input
and
	case $_input in
the quotes are not needed because word splitting does not happen in such
contexts anyway (assignment and second word of case statement). Existing
code varies in adding or not adding unnecessary quotes in places like
these.

Note that things like export a="$b" do not count as an assignment for
this; they need the quotes except if bin/166771 is committed.

-- 
Jilles Tjoelker

Comment 3 Eitan Adler freebsd_committer

2012-11-08 20:54:43 UTC

Responsible Changed
From-To: eadler->freebsd-bugs

I won't be dealing with this PR for some time, so give it back to the 
pool

Comment 4 Eitan Adler freebsd_committer

2017-12-31 07:59:59 UTC

For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped

Comment 5 Graham Perrin freebsd_committer

2022-10-17 12:36:19 UTC

Keyword: 

    patch
or  patch-ready

– in lieu of summary line prefix: 

    [patch]

* bulk change for the keyword
* summary lines may be edited manually (not in bulk). 

Keyword descriptions and search interface: 

    <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>