Date: Fri, 11 Aug 2017 11:42:44 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 221416] pw useradd accepts invalid user names Message-ID: <bug-221416-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D221416 Bug ID: 221416 Summary: pw useradd accepts invalid user names Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Keywords: patch, regression Severity: Affects Some People Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: fk@fabiankeil.de Flags: mfc-stable10?, mfc-stable11? Created attachment 185282 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D185282&action= =3Dedit pw useradd: Validate the user name before creating the entry When the -g option is used, pw useradd doesn't validate the user name. A command like: pw useradd -u 1234 -g 1234 -n 'test user' creates an invalid user. The "-g 1234" is relevant, without it the name is rejected as expected: [fk@test ~]$ sudo pw useradd -u 1234 -n 'test user' pw: invalid character ` ' at position 4 in userid/group name Bug unintentionally found with a salt config without explicit name entry: test user: user.present: - uid: 1234 - gid: 1234 - fullname: Test user - shell: /usr/local/bin/bash - home: /home/test - groups: - wheel - salt "Luckily" salt modules rarely bother with input validation either ... This regression was introduced when pw was refactored in 2015. The attached patch fixes the issue and adds regression tests. Obtained from: ElectroBSD --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-221416-8>