svn commit: r335485 - stable/11/usr.sbin/bsdconfig/usermgmt/share
Devin Teske
dteske at FreeBSD.org
Thu Jun 21 14:55:27 UTC 2018
Author: dteske
Date: Thu Jun 21 14:55:26 2018
New Revision: 335485
URL: https://svnweb.freebsd.org/changeset/base/335485
Log:
MFC r335308: bsdconfig: Fix a bug when editing users
The usermgmt API was stomping on a global ($user_gid to be specific)
so things would appear to work fine until you tried to make a second
pass into the API with the now-tainted variable contents.
Fixed by localizing menu-specific contents as to not leak outside API.
PR: bin/208774
Reported by: Martin Waschbuesch <martin at waschbuesch.de>
Sponsored by: Smule, Inc.
Modified:
stable/11/usr.sbin/bsdconfig/usermgmt/share/user_input.subr
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/usr.sbin/bsdconfig/usermgmt/share/user_input.subr
==============================================================================
--- stable/11/usr.sbin/bsdconfig/usermgmt/share/user_input.subr Thu Jun 21 14:41:58 2018 (r335484)
+++ stable/11/usr.sbin/bsdconfig/usermgmt/share/user_input.subr Thu Jun 21 14:55:26 2018 (r335485)
@@ -1020,13 +1020,6 @@ f_dialog_menu_user_add()
user_password_expires_on="$user_password_expire"
fi
- # Attempt to translate a numeric GID into `number (name)'
- if f_isinteger "$user_gid"; then
- local user_group
- user_group=$( pw groupshow -g "$user_gid" 2> /dev/null ) &&
- user_gid="$user_gid (${user_group%%:*})"
- fi
-
# Localize potentially hostile variables and escape their values
# to the local variable (see f_shell_escape() of `strings.subr')
local var
@@ -1038,6 +1031,14 @@ f_dialog_menu_user_add()
eval f_shell_escape \"\$user_$var\" _user_$var
done
+ # Attempt to translate a numeric GID into `number (name)'
+ if f_isinteger "$_user_gid"; then
+ local _user_group
+ _user_group=$( pw groupshow -g "$_user_gid" 2> /dev/null ) &&
+ _user_group="${_user_group%%:*}" &&
+ f_shell_escape "$_user_gid ($_user_group)" _user_gid
+ fi
+
menu_list="
'X' '$msg_add/$msg_exit'
'1' '$msg_login: $_user_name'
@@ -1137,13 +1138,6 @@ f_dialog_menu_user_delete()
user_password_expires_on="$user_password_expire"
fi
- # Attempt to translate a numeric GID into `number (name)'
- if f_isinteger "$user_gid"; then
- local user_group
- user_group=$( pw groupshow -g "$user_gid" 2> /dev/null ) &&
- user_gid="$user_gid (${user_group%%:*})"
- fi
-
# Localize potentially hostile variables and escape their values
# to the local variable (see f_shell_escape() of `strings.subr')
local var
@@ -1155,6 +1149,14 @@ f_dialog_menu_user_delete()
eval f_shell_escape \"\$user_$var\" _user_$var
done
+ # Attempt to translate a numeric GID into `number (name)'
+ if f_isinteger "$_user_gid"; then
+ local _user_group
+ _user_group=$( pw groupshow -g "$_user_gid" 2> /dev/null ) &&
+ _user_group="${_user_group%%:*}" &&
+ f_shell_escape "$_user_gid ($_user_group)" _user_gid
+ fi
+
menu_list="
'X' '$msg_delete/$msg_exit'
'1' '$msg_login: $_user_name'
@@ -1254,13 +1256,6 @@ f_dialog_menu_user_edit()
user_password_expires_on="$user_password_expire"
fi
- # Attempt to translate a numeric GID into `number (name)'
- if f_isinteger "$user_gid"; then
- local user_group
- user_group=$( pw groupshow -g "$user_gid" 2> /dev/null ) &&
- user_gid="$user_gid (${user_group%%:*})"
- fi
-
# Localize potentially hostile variables and escape their values
# to the local variable (see f_shell_escape() of `strings.subr')
local var
@@ -1271,6 +1266,14 @@ f_dialog_menu_user_edit()
local _user_$var
eval f_shell_escape \"\$user_$var\" _user_$var
done
+
+ # Attempt to translate a numeric GID into `number (name)'
+ if f_isinteger "$_user_gid"; then
+ local _user_group
+ _user_group=$( pw groupshow -g "$_user_gid" 2> /dev/null ) &&
+ _user_group="${_user_group%%:*}" &&
+ f_shell_escape "$_user_gid ($_user_group)" _user_gid
+ fi
menu_list="
'X' '$msg_save/$msg_exit'
More information about the svn-src-stable
mailing list