Subject: Re: port-i386/4580: sysinst i386 - no shell metachars in FTP password allowed
To: Christos Zoulas <firstname.lastname@example.org>
From: Luke Mewburn <email@example.com>
Date: 11/27/1997 09:16:57
Christos Zoulas writes:
> >.../sysinst/net.c, line 277:
> > ret = run_prog("/usr/bin/ftp ftp://%s:%s@%s/%s/%s",
> > ftp_user, ftp_pass, ftp_host, ftp_dir
> > filename);
> >Should be obvious what's going on here - enclosing the URL in
> >single quote should fix the problem. Also in the ftp-call a
> >few lines above.
> This is not correct; consider if your passwd contains a single quote.
> A more correct solution should:
> - escape all shell metacharacters by prepending a backslash to them.
> - probably the ftp url parser should be modified to accept escaped
> characters too. (Consider what happens if your passwd has a : or /)
I'm not sure if it's `legal' to escape characters in an ftp url (i've
considered this problem before; part of the issue is that the url
can be of the form:
(i.e, optional bits at either end of the string)
i'll investigate to find the ``correct'' way to escape characters in
urls, and get around to implementing it in ftp(1). i don't know if/how
any other url using products (i.e, browsers) cope with ':', '@', or
'/' in passwords...
as to the problem at hand (sysinst); wouldn't most of it be solved
by passing an argv style array? or is a system() command being used
in the back-end?