netbsd-bugs: bin/29457: pppoectl's config file does not allow number sign in passwords

Subject: bin/29457: pppoectl's config file does not allow number sign in passwords
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: Joachim Kuebart <kuebart@mathematik.uni-ulm.de>
List: netbsd-bugs
Date: 02/19/2005 17:30:01
>Number:         29457
>Category:       bin
>Synopsis:       pppoectl's config file does not allow number sign in passwords
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Feb 19 17:30:01 +0000 2005
>Originator:     Joachim Kuebart
>Release:        NetBSD 2.0B
>Organization:
>Environment:
System: NetBSD jaja 2.0B NetBSD 2.0B (ALPHA-$Revision: 1.191 $) #5: Mon Feb 14 19:54:33 CET 2005 joki@jaja:/usr/obj/usr/src/sys/arch/alpha/compile/JAJA alpha
Architecture: alpha
Machine: alpha
pppoectl.8:
     $NetBSD: pppoectl.8,v 1.23 2003/10/02 07:07:48 wiz Exp $

pppoectl.c:
     $NetBSD: pppoectl.c,v 1.16 2004/09/01 19:38:09 jdolecek Exp $
>Description:
	The pppoectl program has an -f switch to specify a file name in
	which configuration information is kept. This file is processed
	with fparseln(3) and therefore supports features supplied by this
	function, viz. comments starting with `#'.

	Unfortunately, this feature prevents the user from using the `#'
	character as part of their authentication information.

	Incidentally, one major ISP in Germany requires `#' signs in user
	names.
>How-To-Repeat:
	Use a "config" file with the line
	myauthname=a#b
	
	After ppppoectl -f config pppoe0, pppoectl pppoe0 will show
	myauthname=a

	Everything after the number sign is lost (likewise for passwords).
>Fix:
	To enable escaping the comment character, pass an appropriate flag
	to fparseln(3). I think FPARSELN_UNESCALL is the correct flag value
	to use, since every other flag value prevents certain character
	sequences from being passed in.

	The example above can now be entered thusly:
	myauthname=a\#b

	while comments are sill supported.

	I suggest the following fix:

Index: pppoectl.c
===================================================================
RCS file: /cvsroot/src/sbin/pppoectl/pppoectl.c,v
retrieving revision 1.16
diff -u -p -r1.16 pppoectl.c
--- pppoectl.c	1 Sep 2004 19:38:09 -0000	1.16
+++ pppoectl.c	19 Feb 2005 17:30:15 -0000
@@ -296,7 +296,8 @@ main(int argc, char **argv)
 
 	/* first load the config file, then parse command line args */
 	if (configname && (fp = fopen(configname, "r")))
-		while ((line = fparseln(fp, NULL, NULL, NULL, 0)))
+		while ((line = fparseln(fp, NULL, NULL, NULL,
+					FPARSELN_UNESCALL)))
 			pppoectl_argument(line);
        
 	while (argc > 0) {
Index: pppoectl.8
===================================================================
RCS file: /cvsroot/src/sbin/pppoectl/pppoectl.8,v
retrieving revision 1.23
diff -u -p -r1.23 pppoectl.8
--- pppoectl.8	2 Oct 2003 07:07:48 -0000	1.23
+++ pppoectl.8	19 Feb 2005 17:30:14 -0000
@@ -90,10 +90,12 @@ This is only available if DNS query is e
 .It Fl f
 parse
 .Ar config-file
-ignoring lines starting with a # for
+for
 .Ar parameter Ns Op \&= Ns Ar value
 pairs, one per line, as if they had been specified on the command line.
 This allows the password to be not passed as a command line argument.
+Unless escaped by \e, comments starting with # to the end of the current line
+are ignored.
 .El
 .Pp
 Typically, not both the access concentrator name and the service name are