>Number:         4580
>Category:       port-i386
>Synopsis:       sysinst i386 - no shell metachars in FTP password allowed
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    gnats-admin (GNATS administrator)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Nov 26 03:35:02 1997
>Last-Modified:
>Originator:     Hubert Feyrer
>Organization:
Hubert Feyrer <hubert.feyrer@rz.uni-regensburg.de>
>Release:        1.3_ALPHA (971122 floppy from ftp.netbsd.org)
>Environment:
	
System: NetBSD smaug 1.2 NetBSD 1.2 (SMAUG) #0: Sun Oct 27 00:52:22 MET DST 1996 feyrer@smaug:/disk1/usr_src/sys/arch/sparc/compile/SMAUG sparc


>Description:
	sysinst (prolly not only on i386) loses on FTP installs, if
	it's not an anon-ftp that you do, and you have some shell-meta
	chars in your password.

>How-To-Repeat:
	Set your password to something like <">, and notice sysinst
	returning immediately after choosing to start transfer.

>Fix:

.../sysinst/net.c, line 277:
                        ret = run_prog("/usr/bin/ftp ftp://%s:%s@%s/%s/%s",
                                       ftp_user, ftp_pass, ftp_host, ftp_dir,
                                       filename);

Should be obvious what's going on here - enclosing the URL in
single quote should fix the problem. Also in the ftp-call a
few lines above.
>Audit-Trail:
>Unformatted: