Date: Fri, 25 Jan 2002 09:24:22 -0800 (PST) From: Hironori SAKAMOTO <hsaka@mth.biglobe.ne.jp> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/34270: man -k could be used to execute any command. Message-ID: <200201251724.g0PHOMW73157@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 34270 >Category: misc >Synopsis: man -k could be used to execute any command. >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jan 25 09:30:00 PST 2002 >Closed-Date: >Last-Modified: >Originator: Hironori SAKAMOTO >Release: >Organization: >Environment: >Description: "man -k" could be used to execute any command. For example: $ man -k 'echo "; ls"' executes "ls" I could not investigate how dangerous this behavior is. At least, when web-CGI uses "man -k" with query string, even if the string is quoted for /bin/sh, any command could be executed. >How-To-Repeat: $ export PAGER=cat $ ls a b $ man -k 'echo "; ls"' echo(1) - write arguments to the standard output a b >Fix: In do_apropos() in man/man.c, apropos name is only quoted with `"'. sprintf (command, "%s \"%s\"", APROPOS, name); Any special characters for /bin/sh should be escaped with `\'. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201251724.g0PHOMW73157>