Date: Mon, 28 Jan 2002 16:15:48 -0500 (EST) From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> To: Giorgos Keramidas <keramida@FreeBSD.ORG> Cc: freebsd-bugs@FreeBSD.ORG Subject: Re: misc/34270: man -k could be used to execute any command. Message-ID: <200201282115.g0SLFmo40513@khavrinen.lcs.mit.edu> In-Reply-To: <200201261740.g0QHe6i07522@freefall.freebsd.org> References: <200201261740.g0QHe6i07522@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
<<On Sat, 26 Jan 2002 09:40:06 -0800 (PST), Giorgos Keramidas <keramida@FreeBSD.ORG> said: > Here's a partial fix for the "apropos" and "whatis" options of man(1). > This leaves still 4 places where man/man.c uses do_system_command(), > since I need to understand the code before I make any changes. The > code of man.c is still vulnerable to environment variable tricks, but > at least it works with -f and -k options without problems: I would suggest that the apropos and whatis commands be run by their full path names, avoiding the exec?p functions. If they are running with privilege, the environment should be cleaned out as well. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201282115.g0SLFmo40513>