CVS commit: [netbsd-9] src/external/bsd/openresolv/dist

["Martin Husemann" <martin%netbsd.org@localhost>]

Module Name:    src
Committed By:   martin
Date:           Fri Dec 12 20:06:43 UTC 2025

Modified Files:
        src/external/bsd/openresolv/dist [netbsd-9]: resolvconf.in

Log Message:
Pull up following revision(s) (requested by roy in ticket #1984):

        external/bsd/openresolv/dist/resolvconf.in: revision 1.14
        external/bsd/openresolv/dist/resolvconf.in: revision 1.16
        (via patch)

resolvconf: Single quote parsed values from resolv.conf

When parsing resolv.conf entries we build up shell variables.
Because this is done via a pipe, we need to echo the variables
to stdout and eval the result to get them into the main resolvconf.
We have no idea what the values are, so we build up the output
ensuring the parsed value is single quoted so eval will always
interpret it as a string and nothing more.

This avoids an attack like so:
        `echo 'search $(touch /tmp/foo)' | resolvconf -a bar`
resolvconf: Add a function to quote and escape input for eval

The prior fix could be worked around by this:
        `echo "search '\$(touch /tmp/foo)'" | resolvconf -a bar`

We solve this by single quoting when needed and escaping single
quotes in the input.

Thanks to kre for the quoting function.


To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.5.2.1 src/external/bsd/openresolv/dist/resolvconf.in

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.