When nc(1) tries to connect through an HTTP proxy that requires
authentication, nc calls readpassphrase(3) and aborts. Pledging "tty"
fixes this problem, but you'll notice that the diff has a lot of nasty
branches. My failure to check Pflag when connecting over unix sockets
is not an oversight; nc does not support that configuration.
To reproduce the failure without setting up a real HTTP proxy, open
two terminals and run nc as a coprocess in the first. The following
session causes a core dump:
(tty1)$ nc -lk 8080 |&
(tty2)$ nc -Xconnect -xlocalhost:8080 -Puser localhost 8081
(tty1)$ print -np "HTTP/1.0 407 Authentication Required\r\n\r\n"
(tty2) Abort trap (core dumped)
Index: netcat.c
===================================================================
RCS file: /cvs/src/usr.bin/nc/netcat.c,v
retrieving revision 1.150
diff -u -p -r1.150 netcat.c
--- netcat.c 4 Jan 2016 02:18:31 -0000 1.150
+++ netcat.c 28 May 2016 18:33:30 -0000
@@ -323,7 +323,13 @@ main(int argc, char *argv[])
if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
err(1, "pledge");
} else if (Fflag) {
- if (pledge("stdio inet dns sendfd", NULL) == -1)
+ if (Pflag) {
+ if (pledge("stdio inet dns sendfd tty", NULL) == -1)
+ err(1, "pledge");
+ } else if (pledge("stdio inet dns sendfd", NULL) == -1)
+ err(1, "pledge");
+ } else if (Pflag) {
+ if (pledge("stdio inet dns tty", NULL) == -1)
err(1, "pledge");
} else if (usetls) {
if (pledge("stdio rpath inet dns", NULL) == -1)
@@ -434,7 +440,10 @@ main(int argc, char *argv[])
if (Kflag && (privkey = tls_load_file(Kflag, &privkeylen,
NULL)) == NULL)
errx(1, "unable to load TLS key file %s", Kflag);
- if (pledge("stdio inet dns", NULL) == -1)
+ if (Pflag) {
+ if (pledge("stdio inet dns tty", NULL) == -1)
+ err(1, "pledge");
+ } else if (pledge("stdio inet dns", NULL) == -1)
err(1, "pledge");
if (tls_init() == -1)
