diff options
author | Robert Mustacchi <rm@joyent.com> | 2014-12-17 17:43:46 +0000 |
---|---|---|
committer | Robert Mustacchi <rm@joyent.com> | 2014-12-23 14:52:59 -0800 |
commit | 5422785d352a2bb398daceab3d1898a8aa64d006 (patch) | |
tree | 5283e77a5f85bd7c4ae03a1db063b5fb6a0400f5 /usr/src/cmd | |
parent | 196c7f05d2deba7404e90ad67f3861185c78ca2d (diff) | |
download | illumos-gate-5422785d352a2bb398daceab3d1898a8aa64d006.tar.gz |
5481 CVE-2012-1750 mailx(1) tilde expansion vulnerability
5482 CVE-2014-7844, CVE-2004-2771 - more mailx(1) woes
Reviewed by: Dan McDonald <danmcd@omniti.com>
Reviewed by: Richard Lowe <richlowe@richlowe.net>
Approved by: Dan McDonald <danmcd@omniti.com>
Diffstat (limited to 'usr/src/cmd')
-rw-r--r-- | usr/src/cmd/mailx/fio.c | 2 | ||||
-rw-r--r-- | usr/src/cmd/mailx/main.c | 3 | ||||
-rw-r--r-- | usr/src/cmd/mailx/misc/mailx.rc | 4 | ||||
-rw-r--r-- | usr/src/cmd/mailx/names.c | 19 |
4 files changed, 13 insertions, 15 deletions
diff --git a/usr/src/cmd/mailx/fio.c b/usr/src/cmd/mailx/fio.c index 59eceb519f..53907ca760 100644 --- a/usr/src/cmd/mailx/fio.c +++ b/usr/src/cmd/mailx/fio.c @@ -757,7 +757,7 @@ expand(char *name) if (debug) fprintf(stderr, "%s\n", name); return (name); } - if (wordexp(name, &wrdexp_buf, 0) != 0) { + if (wordexp(name, &wrdexp_buf, WRDE_NOCMD) != 0) { fprintf(stderr, gettext("Syntax error in \"%s\"\n"), name); fflush(stderr); return (NOSTR); diff --git a/usr/src/cmd/mailx/main.c b/usr/src/cmd/mailx/main.c index 35448ecf7c..0271552bea 100644 --- a/usr/src/cmd/mailx/main.c +++ b/usr/src/cmd/mailx/main.c @@ -37,8 +37,6 @@ * contributors. */ -#pragma ident "%Z%%M% %I% %E% SMI" - #include "rcv.h" #ifndef preSVr4 #include <locale.h> @@ -104,7 +102,6 @@ main(int argc, char **argv) progname = argv[0]; if (progname[strlen(progname) - 1] != 'x') { assign("bsdcompat", ""); - assign("escapeok", ""); /* XXX */ } myegid = getegid(); myrgid = getgid(); diff --git a/usr/src/cmd/mailx/misc/mailx.rc b/usr/src/cmd/mailx/misc/mailx.rc index d10391f433..a6dfa46fb2 100644 --- a/usr/src/cmd/mailx/misc/mailx.rc +++ b/usr/src/cmd/mailx/misc/mailx.rc @@ -21,8 +21,6 @@ # Copyright 2000 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # -# ident "%Z%%M% %I% %E% SMI" -# # The following 3 settings produce the familiar Solaris behavior. set appenddeadletter unset pipeignore @@ -44,8 +42,6 @@ else set LISTER="ls -LF" # default is to allow editing of message windows set editmessagewindow - # have to allow ~ escapes even though not using tty - set escapeok endif # most mail headers are uninteresting to most people. here we ignore all diff --git a/usr/src/cmd/mailx/names.c b/usr/src/cmd/mailx/names.c index 7616630f79..886eb2dbc5 100644 --- a/usr/src/cmd/mailx/names.c +++ b/usr/src/cmd/mailx/names.c @@ -191,7 +191,7 @@ outpre(struct name *to) /* * For each recipient in the passed name list with a / * in the name, append the message to the end of the named file - * and remove him from the recipient list. + * and remove them from the recipient list. * * Recipients whose name begins with | are piped through the given * program and removed. @@ -212,6 +212,9 @@ outof(struct name *names, FILE *fo) char line[BUFSIZ]; #endif + if (value("expandaddr") == NOSTR) + return (nout); + for (np = names; np != NIL; np = np->n_flink) { if (!isfileaddr(np->n_name) && np->n_name[0] != '|') continue; @@ -599,14 +602,15 @@ unpack(struct name *np) panic("No names to unpack"); /* - * Compute the number of extra arguments we will need. - * We need at least 2 extra -- one for "mail" and one for - * the terminating 0 pointer. - * Additional spots may be needed to pass along -r and -f to - * the host mailer. + * Compute the number of extra arguments we will need. We need at least + * 3 extra -- one for "mail", one for a terminating -- to stop sendmail + * option processing, and one for the terminating 0 pointer. + * + * Additional spots may be needed to pass along -r and -f to the host + * mailer. */ - extra = 2; + extra = 3; if (rflag != NOSTR) extra += 2; @@ -636,6 +640,7 @@ unpack(struct name *np) snprintf(hbuf, sizeof (hbuf), "%d", hflag); *ap++ = savestr(hbuf); } + *ap++ = "--"; while (n != NIL) { if (n->n_type & GDEL) { n = n->n_flink; |