From nobody@FreeBSD.org  Wed May  9 16:29:58 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 361DE106568A
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  9 May 2012 16:29:58 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 06D968FC14
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  9 May 2012 16:29:58 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q49GTv2T054403
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 9 May 2012 16:29:57 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q49GTvRo054402;
	Wed, 9 May 2012 16:29:57 GMT
	(envelope-from nobody)
Message-Id: <201205091629.q49GTvRo054402@red.freebsd.org>
Date: Wed, 9 May 2012 16:29:57 GMT
From: Norihiko Murase <mur1080224@inter7.jp>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [patch] /usr/sbin/adduser: enclose with double quotes: $_input --> "$_input"
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         167744
>Category:       bin
>Synopsis:       [patch] adduser(8): enclose with double quotes: $_input --> "$_input"
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed May 09 16:30:05 UTC 2012
>Closed-Date:    
>Last-Modified:  Sun Apr 20 00:12:15 UTC 2014
>Originator:     Norihiko Murase
>Release:        FreeBSD 8.2-RELEASE i386
>Organization:
>Environment:
>Description:
In the shell script 'adduser' (/usr/sbin/adduser), the value of shell 
variable "_input" is used WITHOUT double quotes in several places. 
This is NOT SAFE. You should replace them as follows:
  (before) $_input
   (after) "$_input"

>How-To-Repeat:
This kind of difference (the lack of the double quotes) comes to a head
at least when the vaule includes a white space (` ').
# Example:
# when you specify the value with a white space as as the username.

>Fix:
Apply the patch attached, which solves this (potential) problem by 
modifying the shell script 'adduser' (/usr/sbin/adduser).


Patch attached with submission follows:

--- adduser.orig	2011-02-18 01:51:54.000000000 +0000
+++ adduser	2012-05-09 23:04:00.000000000 +0000
@@ -362,7 +362,7 @@
 			err "You must enter a username!"
 			[ -z "$fflag" ] && continue
 		fi
-		${PWCMD} usershow $_input > /dev/null 2>&1
+		${PWCMD} usershow "$_input" > /dev/null 2>&1
 		if [ "$?" -eq 0 ]; then
 			err "User exists!"
 			[ -z "$fflag" ] && continue
@@ -419,7 +419,7 @@
 		if [ -n "$Sflag" ]; then
 			ushell="$_input"
 		else
-			_fullpath=`fullpath_from_shell $_input`
+			_fullpath=`fullpath_from_shell "$_input"`
 			if [ -n "$_fullpath" ]; then
 				ushell="$_fullpath"
 			else
@@ -500,7 +500,7 @@
 		_input="`echo "$fileline" | cut -f2 -d:`"
 	fi
 
-	[ -n "$_input" ] && uuid=$_input
+	[ -n "$_input" ] && uuid="$_input"
 	uuid=`get_nextuid $uuid`
 	uidstart=$uuid
 }
@@ -707,7 +707,7 @@
 		echo -n "Use password-based authentication? [$_usepass]: "
 		read _input
 		[ -z "$_input" ] && _input=$_usepass
-		case $_input in
+		case "$_input" in
 		[Nn][Oo]|[Nn])
 			passwdtype="no"
 			;;
@@ -715,7 +715,7 @@
 			while : ; do
 				echo -n "Use an empty password? (yes/no) [$_emptypass]: "
 				read _input
-				[ -n "$_input" ] && _emptypass=$_input
+				[ -n "$_input" ] && _emptypass="$_input"
 				case $_emptypass in
 				[Nn][Oo]|[Nn])
 					echo -n "Use a random password? (yes/no) [$_random]: "
@@ -771,7 +771,7 @@
 		echo -n "Lock out the account after creation? [$_disable]: "
 		read _input
 		[ -z "$_input" ] && _input=$_disable
-		case $_input in
+		case "$_input" in
 		[Nn][Oo]|[Nn])
 			disableflag=
 			;;
@@ -818,7 +818,7 @@
 	while : ; do
 		echo -n "OK? (yes/no): "
 		read _input
-		case $_input in
+		case "$_input" in
 		[Nn][Oo]|[Nn])
 			return 1
 			;;
@@ -1034,7 +1034,7 @@
 			echo -n "Re-edit the default configuration? (yes/no): "
 		fi
 		read _input
-		case $_input in
+		case "$_input" in
 		[Yy][Ee][Ss]|[Yy][Ee]|[Yy])
 			uidstart=`get_nextuid $uidstart`
 			input_interactive


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->eadler 
Responsible-Changed-By: eadler 
Responsible-Changed-When: Wed May 9 19:19:20 UTC 2012 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=167744 

From: Jilles Tjoelker <jilles@stack.nl>
To: bug-followup@FreeBSD.org, mur1080224@inter7.jp
Cc:  
Subject: Re: bin/167744: [patch] /usr/sbin/adduser: enclose with double
 quotes: $_input --&gt; &quot;$_input&quot;
Date: Fri, 11 May 2012 19:57:23 +0200

 > [usr.sbin/adduser/adduser.sh lets sh split user input inappropriately]
 
 If you are worried about spaces in user names, it also seems appropriate
 to check for them (and other disallowed characters such as ',' and ':')
 and reject such input.
 
 A quick look finds some more places with missing quotes, like
 	[ -z "$configflag" ] && printf "%-10s : %s\n" Username $username
 on line 792.
 
 On the other hand, the patch also adds quotes where they are
 inconsequential. In lines like
 	uuid=$_input
 and
 	case $_input in
 the quotes are not needed because word splitting does not happen in such
 contexts anyway (assignment and second word of case statement). Existing
 code varies in adding or not adding unnecessary quotes in places like
 these.
 
 Note that things like export a="$b" do not count as an assignment for
 this; they need the quotes except if bin/166771 is committed.
 
 -- 
 Jilles Tjoelker
Responsible-Changed-From-To: eadler->freebsd-bugs 
Responsible-Changed-By: eadler 
Responsible-Changed-When: Thu Nov 8 20:54:43 UTC 2012 
Responsible-Changed-Why:  
I won't be dealing with this PR for some time, so give it back to the 
pool 

http://www.freebsd.org/cgi/query-pr.cgi?pr=167744 
>Unformatted:
