From owner-freebsd-bugs Sat Jan 26 9:40:31 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 12EAB37B402 for ; Sat, 26 Jan 2002 09:40:06 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g0QHe6i07522; Sat, 26 Jan 2002 09:40:06 -0800 (PST) (envelope-from gnats) Date: Sat, 26 Jan 2002 09:40:06 -0800 (PST) Message-Id: <200201261740.g0QHe6i07522@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Giorgos Keramidas Subject: Re: misc/34270: man -k could be used to execute any command. Reply-To: Giorgos Keramidas Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following reply was made to PR misc/34270; it has been noted by GNATS. From: Giorgos Keramidas To: "Crist J. Clark" Cc: bug-followup@freebsd.org Subject: Re: misc/34270: man -k could be used to execute any command. Date: Sat, 26 Jan 2002 19:23:40 +0200 Here's a partial fix for the "apropos" and "whatis" options of man(1). This leaves still 4 places where man/man.c uses do_system_command(), since I need to understand the code before I make any changes. The code of man.c is still vulnerable to environment variable tricks, but at least it works with -f and -k options without problems: My current /usr/bin/man executable: $ man -k 'firewalls"; echo --- hi giorgos! ---; "' firewall(7) - simple firewalls under FreeBSD --- hi giorgos! --- : permission denied execution of the shell failed in function system() The patched man.c version works correctly: $ ./man -k 'firewalls"; echo --- hi giorgos! ---; "' firewalls"; echo --- hi giorgos! ---; ": nothing appropriate Here's the diff... --- patch begins here --- Index: man/man.c =================================================================== RCS file: /home/ncvs/src/gnu/usr.bin/man/man/man.c,v retrieving revision 1.53 diff -2 -u -r1.53 man.c --- man/man.c 22 Jan 2002 15:15:38 -0000 1.53 +++ man/man.c 26 Jan 2002 17:02:15 -0000 @@ -19,4 +19,6 @@ #define MAN_MAIN +#include +#include #include #include @@ -526,17 +528,16 @@ register char *name; { - register int len; - register char *command; - - len = strlen (APROPOS) + strlen (name) + 4; - - if ((command = (char *) malloc(len)) == NULL) - gripe_alloc (len, "command"); - - sprintf (command, "%s \"%s\"", APROPOS, name); - - (void) do_system_command (command); + pid_t pid; + int status; - free (command); + if ((pid = fork()) < 0) { + return; + } else if (pid > 0) { + waitpid(pid, &status, 0); + } else { + /* Run the "apropos" command. */ + execlp(APROPOS, APROPOS, name, (char *) NULL); + exit(1); + } } @@ -548,17 +549,16 @@ register char *name; { - register int len; - register char *command; - - len = strlen (WHATIS) + strlen (name) + 4; - - if ((command = (char *) malloc(len)) == NULL) - gripe_alloc (len, "command"); - - sprintf (command, "%s \"%s\"", WHATIS, name); - - (void) do_system_command (command); + pid_t pid; + int status; - free (command); + if ((pid = fork()) < 0) { + return; + } else if (pid > 0) { + waitpid(pid, &status, 0); + } else { + /* Run the "whatis" command. */ + execlp(WHATIS, WHATIS, name, (char *) NULL); + exit(1); + } } --- patch ends here --- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message