Date: Sat, 26 Jan 2002 09:40:06 -0800 (PST) From: Giorgos Keramidas <keramida@freebsd.org> To: freebsd-bugs@FreeBSD.org Subject: Re: misc/34270: man -k could be used to execute any command. Message-ID: <200201261740.g0QHe6i07522@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR misc/34270; it has been noted by GNATS.
From: Giorgos Keramidas <keramida@freebsd.org>
To: "Crist J. Clark" <cjc@freebsd.org>
Cc: bug-followup@freebsd.org
Subject: Re: misc/34270: man -k could be used to execute any command.
Date: Sat, 26 Jan 2002 19:23:40 +0200
Here's a partial fix for the "apropos" and "whatis" options of man(1).
This leaves still 4 places where man/man.c uses do_system_command(),
since I need to understand the code before I make any changes. The
code of man.c is still vulnerable to environment variable tricks, but
at least it works with -f and -k options without problems:
My current /usr/bin/man executable:
$ man -k 'firewalls"; echo --- hi giorgos! ---; "'
firewall(7) - simple firewalls under FreeBSD
--- hi giorgos! ---
: permission denied
execution of the shell failed in function system()
The patched man.c version works correctly:
$ ./man -k 'firewalls"; echo --- hi giorgos! ---; "'
firewalls"; echo --- hi giorgos! ---; ": nothing appropriate
Here's the diff...
--- patch begins here ---
Index: man/man.c
===================================================================
RCS file: /home/ncvs/src/gnu/usr.bin/man/man/man.c,v
retrieving revision 1.53
diff -2 -u -r1.53 man.c
--- man/man.c 22 Jan 2002 15:15:38 -0000 1.53
+++ man/man.c 26 Jan 2002 17:02:15 -0000
@@ -19,4 +19,6 @@
#define MAN_MAIN
+#include <sys/types.h>
+#include <sys/wait.h>
#include <sys/file.h>
#include <sys/stat.h>
@@ -526,17 +528,16 @@
register char *name;
{
- register int len;
- register char *command;
-
- len = strlen (APROPOS) + strlen (name) + 4;
-
- if ((command = (char *) malloc(len)) == NULL)
- gripe_alloc (len, "command");
-
- sprintf (command, "%s \"%s\"", APROPOS, name);
-
- (void) do_system_command (command);
+ pid_t pid;
+ int status;
- free (command);
+ if ((pid = fork()) < 0) {
+ return;
+ } else if (pid > 0) {
+ waitpid(pid, &status, 0);
+ } else {
+ /* Run the "apropos" command. */
+ execlp(APROPOS, APROPOS, name, (char *) NULL);
+ exit(1);
+ }
}
@@ -548,17 +549,16 @@
register char *name;
{
- register int len;
- register char *command;
-
- len = strlen (WHATIS) + strlen (name) + 4;
-
- if ((command = (char *) malloc(len)) == NULL)
- gripe_alloc (len, "command");
-
- sprintf (command, "%s \"%s\"", WHATIS, name);
-
- (void) do_system_command (command);
+ pid_t pid;
+ int status;
- free (command);
+ if ((pid = fork()) < 0) {
+ return;
+ } else if (pid > 0) {
+ waitpid(pid, &status, 0);
+ } else {
+ /* Run the "whatis" command. */
+ execlp(WHATIS, WHATIS, name, (char *) NULL);
+ exit(1);
+ }
}
--- patch ends here ---
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201261740.g0QHe6i07522>