[Bug 271427] FreeBSD pw command injection vulnerability

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 271427] FreeBSD pw command injection vulnerability"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 15 May 2023 07:09:09 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271427

--- Comment #3 from pbuff <858573819@qq.com> ---
(In reply to Baptiste Daroussin from comment #2)
Hello, this is a git-format patch:

diff --git a/pw_user.c b/pw_user.c
index 3d625a0..b16faaf 100644
--- a/pw_user.c
+++ b/pw_user.c
@@ -635,7 +635,7 @@ pw_checkname(char *name, int gecos)
                showtype = "gecos field";
        } else {
                /* See if the name is valid as a userid or group. */
-               badchars = " ,\t:+&#%$^()!@~*?<>=|\\/\"";
+               badchars = " ,\t:+&#%$^()!@~*?<>=|\\/\";";
                showtype = "userid/group name";
                /* Userids and groups can not have a leading '-'. */
                if (*ch == '-')

-- 
You are receiving this mail because:
You are the assignee for the bug.