netbsd-bugs: Re: port-i386/4580: sysinst i386 - no shell metachars in FTP password allowed

Subject: Re: port-i386/4580: sysinst i386 - no shell metachars in FTP password allowed
To: Christos Zoulas <christos@zoulas.com>
From: Luke Mewburn <lm@cs.rmit.edu.au>
List: netbsd-bugs
Date: 11/27/1997 09:16:57

Christos Zoulas writes:
> >>Fix:
> >
> >.../sysinst/net.c, line 277:
> >                        ret = run_prog("/usr/bin/ftp ftp://%s:%s@%s/%s/%s",
> >                                       ftp_user, ftp_pass, ftp_host, ftp_dir
> ,
> >                                       filename);
> >
> >Should be obvious what's going on here - enclosing the URL in
> >single quote should fix the problem. Also in the ftp-call a
> >few lines above.
> 
> This is not correct; consider if your passwd contains a single quote.
> 
> A more correct solution should:
> 	- escape all shell metacharacters by prepending a backslash to them.
> 	- probably the ftp url parser should be modified to accept escaped
> 	  characters too. (Consider what happens if your passwd has a : or /)

I'm not sure if it's `legal' to escape characters in an ftp url (i've
considered this problem before; part of the issue is that the url
can be of the form:
	ftp://[user:passwd]@host[:port]/...
(i.e, optional bits at either end of the string)

i'll investigate to find the ``correct'' way to escape characters in
urls, and get around to implementing it in ftp(1). i don't know if/how
any other url using products (i.e, browsers) cope with ':', '@', or
'/' in passwords...

as to the problem at hand (sysinst); wouldn't most of it be solved
by passing an argv[] style array? or is a system() command being used
in the back-end?