Date: Fri, 25 Jan 2002 18:30:01 -0800 (PST) From: hsaka@mth.biglobe.ne.jp (Hironori Sakamoto) To: freebsd-bugs@FreeBSD.org Subject: Re: misc/34270: man -k could be used to execute any command. Message-ID: <200201260230.g0Q2U1F97688@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR misc/34270; it has been noted by GNATS. From: hsaka@mth.biglobe.ne.jp (Hironori Sakamoto) To: freebsd-gnats-submit@freebsd.org Cc: hsaka@mth.biglobe.ne.jp, mike_makonnen@yahoo.com Subject: Re: misc/34270: man -k could be used to execute any command. Date: Sat, 26 Jan 2002 11:20:49 +0900 (JST) Hello, > From: Mike Makonnen <mike_makonnen@yahoo.com> > > >Fix: > > In do_apropos() in man/man.c, apropos name is only quoted with `"'. > > sprintf (command, "%s \"%s\"", APROPOS, name); > > Any special characters for /bin/sh should be escaped with `\'. > I think the command should be single quoted instead of double quoted. > - sprintf (command, "%s \"%s\"", APROPOS, name); > + sprintf (command, "%s \'%s\'", APROPOS, name); No! It has the same problem. $ man -k "echo '; ls'" ------------------------------------------- Hironori SAKAMOTO <hsaka@mth.biglobe.ne.jp> http://www2u.biglobe.ne.jp/~hsaka/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201260230.g0Q2U1F97688>