On Tue, Apr 6, 2010 at 1:53 AM, Matthew Haub <matthew.h...@alumni.adelaide.edu.au> wrote: > This patch adds support for wordexp(3) and wordfree(3) to libc. These > functions conform to IEEE Std 1003.1-2001 (POSIX). The implementation > comes from NetBSD and uses a shell builtin, "wordexp", to perform the > expansion in line with the methods suggested in the specification[1].
> [1] http://www.opengroup.org/onlinepubs/9699919799/functions/wordexp.html "Therefore, the application shall ensure that words does not contain an unquoted <newline> character or any of the unquoted shell special characters '|' , '&' , ';' , '<' , '>' except in the context of command substitution as specified in XCU Command Substitution . It also shall not contain unquoted parentheses or braces, except in the context of command or variable substitution. The application shall ensure that every member of words which it expects to have expanded by wordexp() does not contain an unquoted initial comment character. The application shall also ensure that any words which it intends to be ignored (because they begin or continue a comment) are deleted from words." What a load of crap. > +.Sh BUGS > +Do not pass untrusted user data to > +.Fn wordexp , > +regardless of whether the > +.Dv WRDE_NOCMD > +flag is set. > +The > +.Fn wordexp > +function attempts to detect input that would cause commands to be > +executed before passing it to the shell > +but it does not use the same parser so it may be fooled. I'm sorry, but this is terrible. (Not your effort, which is appreciated, but the whole function.) I do not like the idea of adding a "be extra careful or you will introduce a backdoor" function to libc. Also, a libc function that doesn't work in chroot? What use is that?