Add protection against input containing single-quotes (e.g., i18n-users).

2014-03-14 03:37:08 +00:00 · 2014-03-14 03:37:08 +00:00 · b00c7d1aa2
commit b00c7d1aa2
parent 863bb16483
2 changed files with 97 additions and 35 deletions
--- a/usr.sbin/bsdconfig/usermgmt/share/group.subr
+++ b/usr.sbin/bsdconfig/usermgmt/share/group.subr
@ -156,10 +156,17 @@ f_group_add()

 			case "$mtag" in
 			X) # Add/Exit
-			   local cmd="pw groupadd -n '$group_name'"
-			   [ "$group_gid" ] && cmd="$cmd -g '$group_gid'"
+			   local var
+			   for var in gid members name; do
+			   	local _group_$var
+			   	eval f_shell_escape \
+			   		\"\$group_$var\" _group_$var
+			   done
+
+			   local cmd="pw groupadd -n '$_group_name'"
+			   [ "$group_gid" ] && cmd="$cmd -g '$_group_gid'"
 			   [ "$group_members" ] &&
-			   	cmd="$cmd -M '$group_members'"
+			   	cmd="$cmd -M '$_group_members'"

 			   # Execute the command (break on success)
 			   if [ "$group_password_disable" ]; then
@ -196,10 +203,16 @@ f_group_add()
 			esac
 		done
 	else
+		local var
+		for var in gid members name; do
+			local _group_$var
+			eval f_shell_escape \"\$group_$var\" _group_$var
+		done
+
 		# Form the command
-		local cmd="pw groupadd -n '$group_name'"
-		[ "$group_gid" ] && cmd="$cmd -g '$group_gid'"
-		[ "$group_members" ] && cmd="$cmd -M '$group_members'"
+		local cmd="pw groupadd -n '$_group_name'"
+		[ "$group_gid" ] && cmd="$cmd -g '$_group_gid'"
+		[ "$group_members" ] && cmd="$cmd -M '$_group_members'"

 		# Execute the command
 		local retval err
@ -276,8 +289,10 @@ f_group_delete()

 			case "$mtag" in
 			X) # Delete/Exit
+			   local _group_name
+			   f_shell_escape "$group_name" _group_name
 			   f_eval_catch $funcname pw 'pw groupdel "%s"' \
-					"$group_name" && break
+					"$_group_name" && break
 			   ;;
 			1) # Group Name (select different group from list)
 			   f_dialog_menu_group_list "$group_name" || continue
@ -296,9 +311,10 @@ f_group_delete()
 			esac
 		done
 	else
-		local retval err
+		local retval err _group_name
+		f_shell_escape "$group_name" _group_name
 		f_eval_catch -k err $funcname pw \
-			'pw groupdel "%s"' "$group_name"
+			"pw groupdel '%s'" "$_group_name"
 		retval=$?
 		if [ $retval -ne $SUCCESS ]; then
 			f_show_err "%s" "$err"
@ -406,10 +422,17 @@ f_group_edit()

 			case "$mtag" in
 			X) # Save/Exit
-			   local cmd="pw groupmod -n '$group_name'"
-			   [ "$group_gid" ] && cmd="$cmd -g '$group_gid'"
+			   local var
+			   for var in gid members name; do
+			   	local _group_$var
+			   	eval f_shell_escape \
+			   		\"\$group_$var\" _group_$var
+			   done
+
+			   local cmd="pw groupmod -n '$_group_name'"
+			   [ "$group_gid" ] && cmd="$cmd -g '$_group_gid'"
 			   [ "$group_members" -o "$null_members" ] &&
-			   	cmd="$cmd -M '$group_members'"
+			   	cmd="$cmd -M '$_group_members'"

 			   # Execute the command (break on success)
 			   if [ "$group_password_disable" ]; then
@ -451,11 +474,17 @@ f_group_edit()
 			esac
 		done
 	else
+		local var
+		for var in gid members name; do
+			local _group_$var
+			eval f_shell_escape \"\$group_$var\" _group_$var
+		done
+
 		# Form the command
-		local cmd="pw groupmod -n '$group_name'"
-		[ "$group_gid" ] && cmd="$cmd -g '$group_gid'"
+		local cmd="pw groupmod -n '$_group_name'"
+		[ "$group_gid" ] && cmd="$cmd -g '$_group_gid'"
 		[ "$group_members" -o "$null_members" ] &&
-			cmd="$cmd -M '$group_members'"
+			cmd="$cmd -M '$_group_members'"

 		# Execute the command
 		local retval err
--- a/usr.sbin/bsdconfig/usermgmt/share/group_input.subr
+++ b/usr.sbin/bsdconfig/usermgmt/share/group_input.subr
@ -53,12 +53,16 @@ f_input_group()

 	f_dprintf "$funcname: Getting info for group \`%s'" "$group"
 	eval "$( pw groupshow "$group" 2> /dev/null | awk -F: '
+	function set_value(var, value) {
+		gsub(/'\''/, "'\''\\'\'\''", value)
+		printf "group_%s='\'%s\''\n", var, value
+	}
 	{
 		found = $1 != ""
-		printf "group_name='\'%s\''\n",    $1
-		printf "group_password=\n"
-		printf "group_gid='\'%s\''\n",     $3
-		printf "group_members='\'%s\''\n", $4
+		set_value("name",     $1)
+		set_value("password", "")
+		set_value("gid",      $3)
+		set_value("members",  $4)
 		exit
 	}
 	END { if (!found) print "false" }' )"
@ -80,10 +84,13 @@ f_dialog_menu_group_list()

 	# Add groups from group(5)
 	menu_list="$menu_list $( pw groupshow -a | awk -F: '
-		!/^[[:space:]]*(#|$)/ {
-			printf "'\'%s\'\ \'%s\''\n", $1, $1
-		}'
-	)"
+		function mprint(tag, item) {
+			gsub(/'\''/, "'\''\\'\'\''", tag)
+			gsub(/'\''/, "'\''\\'\'\''", item)
+			printf "'\'%s\'\ \'%s\''\n", tag, item
+		}
+		!/^[[:space:]]*(#|$)/ { mprint($1, $1) }
+	' )"

 	local height width rows
 	eval f_dialog_menu_size height width rows \
@ -331,16 +338,18 @@ f_dialog_input_group_members()
 		X) # Exit
 			break ;;
 		1) # Select Group Members from a list
-			local __user_list __length=0 __user __check_list=
+			local __check_list= # Calculated below
+			local __user_list __u __user __length=0
 			__user_list=$( pw usershow -a |
 				awk -F: '!/^[[:space:]]*(#|$)/{print $1}' )
 			while [ $__length -ne ${#__user_list} ]; do
-				__user="${__user_list%%$NL*}" # First line
+				__u="${__user_list%%$NL*}" # First line
+				f_shell_escape "$__u" __user

 				# Format of a checklist entry: tag item status
 				__check_list="$__check_list '$__user' ''"
 				case "$__input" in
-				"$__user"|"$__user",*|*,"$__user",*|*,"$__user")
+				"$__u"|"$__u",*|*,"$__u",*|*,"$__u")
 					__check_list="$__check_list on" ;;
 				*)
 					__check_list="$__check_list off"
@ -416,12 +425,20 @@ f_dialog_menu_group_add()
 	local defaultitem="$1"
 	local hline="$hline_arrows_tab_enter"

+	# Localize potentially hostile variables and escape their values
+	# to the local variable (see f_shell_escape() of `strings.subr')
+	local var
+	for var in gid members name; do
+		local _group_$var
+		eval f_shell_escape \"\$group_$var\" _group_$var
+	done
+
 	menu_list="
 		'X' '$msg_add/$msg_exit'
-		'1' '$msg_group: $group_name'
+		'1' '$msg_group: $_group_name'
 		'2' '$msg_password: -----'
-		'3' '$msg_group_id: $group_gid'
-		'4' '$msg_group_members: $group_members'
+		'3' '$msg_group_id: $_group_gid'
+		'4' '$msg_group_members: $_group_members'
 	" # END-QUOTE

 	local height width rows
@ -470,12 +487,20 @@ f_dialog_menu_group_delete()
 	local group_name group_password group_gid group_members
 	f_input_group "$1"

+	# Localize potentially hostile variables and escape their values
+	# to the local variable (see f_shell_escape() of `strings.subr')
+	local var
+	for var in gid members name; do
+		local _group_$var
+		eval f_shell_escape \"\$group_$var\" _group_$var
+	done
+
 	menu_list="
 		'X' '$msg_delete/$msg_exit'
-		'1' '$msg_group: $group_name'
+		'1' '$msg_group: $_group_name'
 		'-' '$msg_password: -----'
-		'-' '$msg_group_id: $group_gid'
-		'-' '$msg_group_members: $group_members'
+		'-' '$msg_group_id: $_group_gid'
+		'-' '$msg_group_members: $_group_members'
 	" # END-QUOTE

 	local height width rows
@ -521,12 +546,20 @@ f_dialog_menu_group_edit()
 	local defaultitem="$1"
 	local hline="$hline_arrows_tab_enter"

+	# Localize potentially hostile variables and escape their values
+	# to the local variable (see f_shell_escape() of `strings.subr')
+	local var
+	for var in gid members name; do
+		local _group_$var
+		eval f_shell_escape \"\$group_$var\" _group_$var
+	done
+
 	menu_list="
 		'X' '$msg_save/$msg_exit'
-		'1' '$msg_group: $group_name'
+		'1' '$msg_group: $_group_name'
 		'2' '$msg_password: -----'
-		'3' '$msg_group_id: $group_gid'
-		'4' '$msg_group_members: $group_members'
+		'3' '$msg_group_id: $_group_gid'
+		'4' '$msg_group_members: $_group_members'
 	" # END-QUOTE

 	local height width rows