In article <199711261126.MAA09859@smaug.fh-regensburg.de> hubert.feyrer@rz.uni-regensburg.de writes:
>
>>Number:         4580
>>Category:       port-i386
>>Synopsis:       sysinst i386 - no shell metachars in FTP password allowed
>>Confidential:   no
>>Severity:       serious
>>Priority:       high
>>Responsible:    gnats-admin (GNATS administrator)
>>State:          open
>>Class:          sw-bug
>>Submitter-Id:   net
>>Arrival-Date:   Wed Nov 26 03:35:02 1997
>>Last-Modified:
>>Originator:     Hubert Feyrer
>>Organization:
>Hubert Feyrer <hubert.feyrer@rz.uni-regensburg.de>
>>Release:        1.3_ALPHA (971122 floppy from ftp.netbsd.org)
>>Environment:
>	
>System: NetBSD smaug 1.2 NetBSD 1.2 (SMAUG) #0: Sun Oct 27 00:52:22 MET DST 1996 feyrer@smaug:/disk1/usr_src/sys/arch/sparc/compile/SMAUG sparc
>
>
>>Description:
>	sysinst (prolly not only on i386) loses on FTP installs, if
>	it's not an anon-ftp that you do, and you have some shell-meta
>	chars in your password.
>
>>How-To-Repeat:
>	Set your password to something like <">, and notice sysinst
>	returning immediately after choosing to start transfer.
>
>>Fix:
>
>.../sysinst/net.c, line 277:
>                        ret = run_prog("/usr/bin/ftp ftp://%s:%s@%s/%s/%s",
>                                       ftp_user, ftp_pass, ftp_host, ftp_dir,
>                                       filename);
>
>Should be obvious what's going on here - enclosing the URL in
>single quote should fix the problem. Also in the ftp-call a
>few lines above.

This is not correct; consider if your passwd contains a single quote.

A more correct solution should:
	- escape all shell metacharacters by prepending a backslash to them.
	- probably the ftp url parser should be modified to accept escaped
	  characters too. (Consider what happens if your passwd has a : or /)

christos