Add protection against input containing single-quotes (e.g., i18n-users).
This commit is contained in:
Devin Teske
parent
863bb16483
commit
b00c7d1aa2
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=263149
@ -156,10 +156,17 @@ f_group_add()
|
|||||||
|
|
||||||
case "$mtag" in
|
case "$mtag" in
|
||||||
X) # Add/Exit
|
X) # Add/Exit
|
||||||
local cmd="pw groupadd -n '$group_name'"
|
local var
|
||||||
[ "$group_gid" ] && cmd="$cmd -g '$group_gid'"
|
for var in gid members name; do
|
||||||
|
local _group_$var
|
||||||
|
eval f_shell_escape \
|
||||||
|
\"\$group_$var\" _group_$var
|
||||||
|
done
|
||||||
|
|
||||||
|
local cmd="pw groupadd -n '$_group_name'"
|
||||||
|
[ "$group_gid" ] && cmd="$cmd -g '$_group_gid'"
|
||||||
[ "$group_members" ] &&
|
[ "$group_members" ] &&
|
||||||
cmd="$cmd -M '$group_members'"
|
cmd="$cmd -M '$_group_members'"
|
||||||
|
|
||||||
# Execute the command (break on success)
|
# Execute the command (break on success)
|
||||||
if [ "$group_password_disable" ]; then
|
if [ "$group_password_disable" ]; then
|
||||||
@ -196,10 +203,16 @@ f_group_add()
|
|||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
|
local var
|
||||||
|
for var in gid members name; do
|
||||||
|
local _group_$var
|
||||||
|
eval f_shell_escape \"\$group_$var\" _group_$var
|
||||||
|
done
|
||||||
|
|
||||||
# Form the command
|
# Form the command
|
||||||
local cmd="pw groupadd -n '$group_name'"
|
local cmd="pw groupadd -n '$_group_name'"
|
||||||
[ "$group_gid" ] && cmd="$cmd -g '$group_gid'"
|
[ "$group_gid" ] && cmd="$cmd -g '$_group_gid'"
|
||||||
[ "$group_members" ] && cmd="$cmd -M '$group_members'"
|
[ "$group_members" ] && cmd="$cmd -M '$_group_members'"
|
||||||
|
|
||||||
# Execute the command
|
# Execute the command
|
||||||
local retval err
|
local retval err
|
||||||
@ -276,8 +289,10 @@ f_group_delete()
|
|||||||
|
|
||||||
case "$mtag" in
|
case "$mtag" in
|
||||||
X) # Delete/Exit
|
X) # Delete/Exit
|
||||||
|
local _group_name
|
||||||
|
f_shell_escape "$group_name" _group_name
|
||||||
f_eval_catch $funcname pw 'pw groupdel "%s"' \
|
f_eval_catch $funcname pw 'pw groupdel "%s"' \
|
||||||
"$group_name" && break
|
"$_group_name" && break
|
||||||
;;
|
;;
|
||||||
1) # Group Name (select different group from list)
|
1) # Group Name (select different group from list)
|
||||||
f_dialog_menu_group_list "$group_name" || continue
|
f_dialog_menu_group_list "$group_name" || continue
|
||||||
@ -296,9 +311,10 @@ f_group_delete()
|
|||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
local retval err
|
local retval err _group_name
|
||||||
|
f_shell_escape "$group_name" _group_name
|
||||||
f_eval_catch -k err $funcname pw \
|
f_eval_catch -k err $funcname pw \
|
||||||
'pw groupdel "%s"' "$group_name"
|
"pw groupdel '%s'" "$_group_name"
|
||||||
retval=$?
|
retval=$?
|
||||||
if [ $retval -ne $SUCCESS ]; then
|
if [ $retval -ne $SUCCESS ]; then
|
||||||
f_show_err "%s" "$err"
|
f_show_err "%s" "$err"
|
||||||
@ -406,10 +422,17 @@ f_group_edit()
|
|||||||
|
|
||||||
case "$mtag" in
|
case "$mtag" in
|
||||||
X) # Save/Exit
|
X) # Save/Exit
|
||||||
local cmd="pw groupmod -n '$group_name'"
|
local var
|
||||||
[ "$group_gid" ] && cmd="$cmd -g '$group_gid'"
|
for var in gid members name; do
|
||||||
|
local _group_$var
|
||||||
|
eval f_shell_escape \
|
||||||
|
\"\$group_$var\" _group_$var
|
||||||
|
done
|
||||||
|
|
||||||
|
local cmd="pw groupmod -n '$_group_name'"
|
||||||
|
[ "$group_gid" ] && cmd="$cmd -g '$_group_gid'"
|
||||||
[ "$group_members" -o "$null_members" ] &&
|
[ "$group_members" -o "$null_members" ] &&
|
||||||
cmd="$cmd -M '$group_members'"
|
cmd="$cmd -M '$_group_members'"
|
||||||
|
|
||||||
# Execute the command (break on success)
|
# Execute the command (break on success)
|
||||||
if [ "$group_password_disable" ]; then
|
if [ "$group_password_disable" ]; then
|
||||||
@ -451,11 +474,17 @@ f_group_edit()
|
|||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
|
local var
|
||||||
|
for var in gid members name; do
|
||||||
|
local _group_$var
|
||||||
|
eval f_shell_escape \"\$group_$var\" _group_$var
|
||||||
|
done
|
||||||
|
|
||||||
# Form the command
|
# Form the command
|
||||||
local cmd="pw groupmod -n '$group_name'"
|
local cmd="pw groupmod -n '$_group_name'"
|
||||||
[ "$group_gid" ] && cmd="$cmd -g '$group_gid'"
|
[ "$group_gid" ] && cmd="$cmd -g '$_group_gid'"
|
||||||
[ "$group_members" -o "$null_members" ] &&
|
[ "$group_members" -o "$null_members" ] &&
|
||||||
cmd="$cmd -M '$group_members'"
|
cmd="$cmd -M '$_group_members'"
|
||||||
|
|
||||||
# Execute the command
|
# Execute the command
|
||||||
local retval err
|
local retval err
|
||||||
|
|||||||
@ -53,12 +53,16 @@ f_input_group()
|
|||||||
|
|
||||||
f_dprintf "$funcname: Getting info for group \`%s'" "$group"
|
f_dprintf "$funcname: Getting info for group \`%s'" "$group"
|
||||||
eval "$( pw groupshow "$group" 2> /dev/null | awk -F: '
|
eval "$( pw groupshow "$group" 2> /dev/null | awk -F: '
|
||||||
|
function set_value(var, value) {
|
||||||
|
gsub(/'\''/, "'\''\\'\'\''", value)
|
||||||
|
printf "group_%s='\'%s\''\n", var, value
|
||||||
|
}
|
||||||
{
|
{
|
||||||
found = $1 != ""
|
found = $1 != ""
|
||||||
printf "group_name='\'%s\''\n", $1
|
set_value("name", $1)
|
||||||
printf "group_password=\n"
|
set_value("password", "")
|
||||||
printf "group_gid='\'%s\''\n", $3
|
set_value("gid", $3)
|
||||||
printf "group_members='\'%s\''\n", $4
|
set_value("members", $4)
|
||||||
exit
|
exit
|
||||||
}
|
}
|
||||||
END { if (!found) print "false" }' )"
|
END { if (!found) print "false" }' )"
|
||||||
@ -80,10 +84,13 @@ f_dialog_menu_group_list()
|
|||||||
|
|
||||||
# Add groups from group(5)
|
# Add groups from group(5)
|
||||||
menu_list="$menu_list $( pw groupshow -a | awk -F: '
|
menu_list="$menu_list $( pw groupshow -a | awk -F: '
|
||||||
!/^[[:space:]]*(#|$)/ {
|
function mprint(tag, item) {
|
||||||
printf "'\'%s\'\ \'%s\''\n", $1, $1
|
gsub(/'\''/, "'\''\\'\'\''", tag)
|
||||||
}'
|
gsub(/'\''/, "'\''\\'\'\''", item)
|
||||||
)"
|
printf "'\'%s\'\ \'%s\''\n", tag, item
|
||||||
|
}
|
||||||
|
!/^[[:space:]]*(#|$)/ { mprint($1, $1) }
|
||||||
|
' )"
|
||||||
|
|
||||||
local height width rows
|
local height width rows
|
||||||
eval f_dialog_menu_size height width rows \
|
eval f_dialog_menu_size height width rows \
|
||||||
@ -331,16 +338,18 @@ f_dialog_input_group_members()
|
|||||||
X) # Exit
|
X) # Exit
|
||||||
break ;;
|
break ;;
|
||||||
1) # Select Group Members from a list
|
1) # Select Group Members from a list
|
||||||
local __user_list __length=0 __user __check_list=
|
local __check_list= # Calculated below
|
||||||
|
local __user_list __u __user __length=0
|
||||||
__user_list=$( pw usershow -a |
|
__user_list=$( pw usershow -a |
|
||||||
awk -F: '!/^[[:space:]]*(#|$)/{print $1}' )
|
awk -F: '!/^[[:space:]]*(#|$)/{print $1}' )
|
||||||
while [ $__length -ne ${#__user_list} ]; do
|
while [ $__length -ne ${#__user_list} ]; do
|
||||||
__user="${__user_list%%$NL*}" # First line
|
__u="${__user_list%%$NL*}" # First line
|
||||||
|
f_shell_escape "$__u" __user
|
||||||
|
|
||||||
# Format of a checklist entry: tag item status
|
# Format of a checklist entry: tag item status
|
||||||
__check_list="$__check_list '$__user' ''"
|
__check_list="$__check_list '$__user' ''"
|
||||||
case "$__input" in
|
case "$__input" in
|
||||||
"$__user"|"$__user",*|*,"$__user",*|*,"$__user")
|
"$__u"|"$__u",*|*,"$__u",*|*,"$__u")
|
||||||
__check_list="$__check_list on" ;;
|
__check_list="$__check_list on" ;;
|
||||||
*)
|
*)
|
||||||
__check_list="$__check_list off"
|
__check_list="$__check_list off"
|
||||||
@ -416,12 +425,20 @@ f_dialog_menu_group_add()
|
|||||||
local defaultitem="$1"
|
local defaultitem="$1"
|
||||||
local hline="$hline_arrows_tab_enter"
|
local hline="$hline_arrows_tab_enter"
|
||||||
|
|
||||||
|
# Localize potentially hostile variables and escape their values
|
||||||
|
# to the local variable (see f_shell_escape() of `strings.subr')
|
||||||
|
local var
|
||||||
|
for var in gid members name; do
|
||||||
|
local _group_$var
|
||||||
|
eval f_shell_escape \"\$group_$var\" _group_$var
|
||||||
|
done
|
||||||
|
|
||||||
menu_list="
|
menu_list="
|
||||||
'X' '$msg_add/$msg_exit'
|
'X' '$msg_add/$msg_exit'
|
||||||
'1' '$msg_group: $group_name'
|
'1' '$msg_group: $_group_name'
|
||||||
'2' '$msg_password: -----'
|
'2' '$msg_password: -----'
|
||||||
'3' '$msg_group_id: $group_gid'
|
'3' '$msg_group_id: $_group_gid'
|
||||||
'4' '$msg_group_members: $group_members'
|
'4' '$msg_group_members: $_group_members'
|
||||||
" # END-QUOTE
|
" # END-QUOTE
|
||||||
|
|
||||||
local height width rows
|
local height width rows
|
||||||
@ -470,12 +487,20 @@ f_dialog_menu_group_delete()
|
|||||||
local group_name group_password group_gid group_members
|
local group_name group_password group_gid group_members
|
||||||
f_input_group "$1"
|
f_input_group "$1"
|
||||||
|
|
||||||
|
# Localize potentially hostile variables and escape their values
|
||||||
|
# to the local variable (see f_shell_escape() of `strings.subr')
|
||||||
|
local var
|
||||||
|
for var in gid members name; do
|
||||||
|
local _group_$var
|
||||||
|
eval f_shell_escape \"\$group_$var\" _group_$var
|
||||||
|
done
|
||||||
|
|
||||||
menu_list="
|
menu_list="
|
||||||
'X' '$msg_delete/$msg_exit'
|
'X' '$msg_delete/$msg_exit'
|
||||||
'1' '$msg_group: $group_name'
|
'1' '$msg_group: $_group_name'
|
||||||
'-' '$msg_password: -----'
|
'-' '$msg_password: -----'
|
||||||
'-' '$msg_group_id: $group_gid'
|
'-' '$msg_group_id: $_group_gid'
|
||||||
'-' '$msg_group_members: $group_members'
|
'-' '$msg_group_members: $_group_members'
|
||||||
" # END-QUOTE
|
" # END-QUOTE
|
||||||
|
|
||||||
local height width rows
|
local height width rows
|
||||||
@ -521,12 +546,20 @@ f_dialog_menu_group_edit()
|
|||||||
local defaultitem="$1"
|
local defaultitem="$1"
|
||||||
local hline="$hline_arrows_tab_enter"
|
local hline="$hline_arrows_tab_enter"
|
||||||
|
|
||||||
|
# Localize potentially hostile variables and escape their values
|
||||||
|
# to the local variable (see f_shell_escape() of `strings.subr')
|
||||||
|
local var
|
||||||
|
for var in gid members name; do
|
||||||
|
local _group_$var
|
||||||
|
eval f_shell_escape \"\$group_$var\" _group_$var
|
||||||
|
done
|
||||||
|
|
||||||
menu_list="
|
menu_list="
|
||||||
'X' '$msg_save/$msg_exit'
|
'X' '$msg_save/$msg_exit'
|
||||||
'1' '$msg_group: $group_name'
|
'1' '$msg_group: $_group_name'
|
||||||
'2' '$msg_password: -----'
|
'2' '$msg_password: -----'
|
||||||
'3' '$msg_group_id: $group_gid'
|
'3' '$msg_group_id: $_group_gid'
|
||||||
'4' '$msg_group_members: $group_members'
|
'4' '$msg_group_members: $_group_members'
|
||||||
" # END-QUOTE
|
" # END-QUOTE
|
||||||
|
|
||||||
local height width rows
|
local height width rows
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user