Actually, I have merged the patch in the next release candidate but I
cannot release it in the current form (attached).
Here is the problem: once the patch is in place, the quoted mode of the
is_shell_safe() function becomes useless, as the main difference is an
increment to skip checking for whitespace (in src/util.c).
In the current form, however, the patch removes bad[0] (which used to be
whitespace), and as a result the ++ increment results in quoted strings
not being checked for ';'.
This is perhaps not all that dangerous, but still sloppy. I point it out
here because I understand that the CYGWIN codebase currently ships the
patch.
Input and corrections are welcome.
Best -F
Federico Lucifredi wrote:
Hello Volker,
Thank you for passing over the patch, I had misunderstood Bruce's report for
another issue.
Patch merged in 1.6f candidate, it will be in the next release.
Best -Federico
_________________________________________
-- "'Problem' is a bleak word for challenge" - Richard Fish
(Federico L. Lucifredi)-
--
_________________________________________
-- "'Problem' is a bleak word for challenge" - Richard Fish
(Federico L. Lucifredi) - http://www.lucifredi.com
diff -urN -x CYGWIN-PATCHES -x 'aclocal.m4*' -x ltmain.sh -x 'config.*' -x
depcomp -x install-sh -x missing -x mkinstalldirs -x autom4te.cache -x
'*compile' -x Makefile.in.in -x 'intltool*.in' -x 'xml-i18n-*.in' -x '*.pyc' -x
'*.mo' -x '*.gmo' -x ABOUT-NLS -x Makevars.template -x COPYING -x INSTALL -x
'*.orig' -x '*.rej' -x '*~' -x '*.temp' -x texinfo.tex -x ylwrap -x
gnome-doc-utils.make -x gnome-doc-utils.m4 -x intltool.m4 -x omf.make -x
xmldocs.make origsrc/man-1.6d/src/man.c src/man-1.6d/src/man.c
--- origsrc/man-1.6d/src/man.c 2006-05-01 22:34:22.000000000 +0200
+++ src/man-1.6d/src/man.c 2006-11-17 11:35:39.049579200 +0100
@@ -781,10 +781,10 @@
But it changes the meaning of man_file and cat_file,
if these are not absolute. */
- command = my_xsprintf("(cd %S && %s | %S > %S)", path,
+ command = my_xsprintf("(cd \"%S\" && %s | %S > %S)", path,
roff_command, getval("COMPRESS"), cat_file);
else
- command = my_xsprintf ("(cd %S && %s > %S)", path,
+ command = my_xsprintf ("(cd \"%S\" && %s > %S)", path,
roff_command, cat_file);
/*
@@ -829,9 +829,9 @@
if (roff_command == NULL)
return 0;
if (do_troff)
- command = my_xsprintf ("(cd %S && %s)", path, roff_command);
+ command = my_xsprintf ("(cd \"%S\" && %s)", path, roff_command);
else
- command = my_xsprintf ("(cd %S && %s | %s)", path,
+ command = my_xsprintf ("(cd \"%S\" && %s | %s)", path,
roff_command, pager);
return !do_system_command (command, 0);
@@ -940,7 +940,7 @@
if (roff_command == NULL)
return 0;
- command = my_xsprintf("(cd %S && %s)", path, roff_command);
+ command = my_xsprintf("(cd \"%S\" && %s)", path, roff_command);
return !do_system_command (command, 0);
}
diff -urN -x CYGWIN-PATCHES -x 'aclocal.m4*' -x ltmain.sh -x 'config.*' -x
depcomp -x install-sh -x missing -x mkinstalldirs -x autom4te.cache -x
'*compile' -x Makefile.in.in -x 'intltool*.in' -x 'xml-i18n-*.in' -x '*.pyc' -x
'*.mo' -x '*.gmo' -x ABOUT-NLS -x Makevars.template -x COPYING -x INSTALL -x
'*.orig' -x '*.rej' -x '*~' -x '*.temp' -x texinfo.tex -x ylwrap -x
gnome-doc-utils.make -x gnome-doc-utils.m4 -x intltool.m4 -x omf.make -x
xmldocs.make origsrc/man-1.6d/src/util.c src/man-1.6d/src/util.c
--- origsrc/man-1.6d/src/util.c 2006-05-01 22:34:49.000000000 +0200
+++ src/man-1.6d/src/util.c 2006-11-17 11:36:52.875736000 +0100
@@ -242,7 +242,7 @@
static int
is_shell_safe(const char *ss, int quoted) {
- char *bad = " ;'\\\"<>|";
+ char *bad = ";'\\\"<>|";
char *p;
if (quoted)
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
