Re: bin/59836: 11.0_BETA: resolvconf fails with 'eval: make_vars: IP_OF_2ND_DNS: not found' for more than 1 dns server

["Robert Elz via gnats" <gnats-admin%NetBSD.org@localhost>]

The following reply was made to PR bin/59836; it has been noted by GNATS.

From: Robert Elz <kre%munnari.OZ.AU@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: bin/59836: 11.0_BETA: resolvconf fails with 'eval: make_vars: IP_OF_2ND_DNS: not found' for more than 1 dns server
Date: Tue, 16 Dec 2025 03:48:16 +0700

     Date:        Mon, 15 Dec 2025 09:00:03 +0000 (UTC)
     From:        "Henryk Paluch via gnats" <gnats-admin%NetBSD.org@localhost>
     Message-ID:  <20251215090003.629BA1A923A%mollari.NetBSD.org@localhost>
 
   |  but it introduced new potential security bug, because it 
   |  now passes untrusted user data ($NAMESERVERS) as format string to 
   |  printf(1)
 
 No, it doesn't:
 
   |     printf 'NAMESERVERS="$NAMESERVERS "%s\n' "$(quote "$ns")"
 
 Look more carefully, it passes the characters:
 
 	NAMESERVERS=   (that part is obvious)
 	"
 	$
 	NAMESERVERS
 	space
 	"
 	%s
 	\n
 
 All enclosed in ' ' (no interpretation of what's in the string,
 other than what printf does - the %s gets the parameter's value,
 and the \n turns into a newline).
 
 The result should look something like (on stdout)
 
 	NAMESERVERS="$NAMESERVERS "'1.2.3.4'
 
 (and what is in $NAMESERVERS when the shell which processes that
 gets to see it will be all quoted strings, where the quotes will
 then be removed by doing an "eval").   The 1.2.3.4 is untrusted
 user data, but that's nicely hidden inside '' quotes.   It might not
 be useful as a nameserver, but it isn't going to do any harm.
 
 kre