On Tue, Apr 6, 2010 at 1:53 AM, Matthew Haub
<matthew.h...@alumni.adelaide.edu.au> wrote:
> This patch adds support for wordexp(3) and wordfree(3) to libc. These
> functions conform to IEEE Std 1003.1-2001 (POSIX). The implementation
> comes from NetBSD and uses a shell builtin, "wordexp", to perform the
> expansion in line with the methods suggested in the specification[1].

> [1] http://www.opengroup.org/onlinepubs/9699919799/functions/wordexp.html

"Therefore, the application shall ensure that words does not contain
an unquoted <newline> character or any of the unquoted shell special
characters '|' , '&' , ';' , '<' , '>' except in the context of
command substitution as specified in XCU Command Substitution . It
also shall not contain unquoted parentheses or braces, except in the
context of command or variable substitution. The application shall
ensure that every member of words which it expects to have expanded by
wordexp() does not contain an unquoted initial comment character. The
application shall also ensure that any words which it intends to be
ignored (because they begin or continue a comment) are deleted from

What a load of crap.

> +.Sh BUGS
> +Do not pass untrusted user data to
> +.Fn wordexp ,
> +regardless of whether the
> +flag is set.
> +The
> +.Fn wordexp
> +function attempts to detect input that would cause commands to be
> +executed before passing it to the shell
> +but it does not use the same parser so it may be fooled.

I'm sorry, but this is terrible.  (Not your effort, which is
appreciated, but the whole function.)  I do not like the idea of
adding a "be extra careful or you will introduce a backdoor" function
to libc.

Also, a libc function that doesn't work in chroot?  What use is that?

Reply via email to