summaryrefslogtreecommitdiff
path: root/usr/src/cmd
diff options
context:
space:
mode:
authorRobert Mustacchi <rm@joyent.com>2014-12-17 17:43:46 +0000
committerRobert Mustacchi <rm@joyent.com>2014-12-23 14:52:59 -0800
commit5422785d352a2bb398daceab3d1898a8aa64d006 (patch)
tree5283e77a5f85bd7c4ae03a1db063b5fb6a0400f5 /usr/src/cmd
parent196c7f05d2deba7404e90ad67f3861185c78ca2d (diff)
downloadillumos-gate-5422785d352a2bb398daceab3d1898a8aa64d006.tar.gz
5481 CVE-2012-1750 mailx(1) tilde expansion vulnerability
5482 CVE-2014-7844, CVE-2004-2771 - more mailx(1) woes Reviewed by: Dan McDonald <danmcd@omniti.com> Reviewed by: Richard Lowe <richlowe@richlowe.net> Approved by: Dan McDonald <danmcd@omniti.com>
Diffstat (limited to 'usr/src/cmd')
-rw-r--r--usr/src/cmd/mailx/fio.c2
-rw-r--r--usr/src/cmd/mailx/main.c3
-rw-r--r--usr/src/cmd/mailx/misc/mailx.rc4
-rw-r--r--usr/src/cmd/mailx/names.c19
4 files changed, 13 insertions, 15 deletions
diff --git a/usr/src/cmd/mailx/fio.c b/usr/src/cmd/mailx/fio.c
index 59eceb519f..53907ca760 100644
--- a/usr/src/cmd/mailx/fio.c
+++ b/usr/src/cmd/mailx/fio.c
@@ -757,7 +757,7 @@ expand(char *name)
if (debug) fprintf(stderr, "%s\n", name);
return (name);
}
- if (wordexp(name, &wrdexp_buf, 0) != 0) {
+ if (wordexp(name, &wrdexp_buf, WRDE_NOCMD) != 0) {
fprintf(stderr, gettext("Syntax error in \"%s\"\n"), name);
fflush(stderr);
return (NOSTR);
diff --git a/usr/src/cmd/mailx/main.c b/usr/src/cmd/mailx/main.c
index 35448ecf7c..0271552bea 100644
--- a/usr/src/cmd/mailx/main.c
+++ b/usr/src/cmd/mailx/main.c
@@ -37,8 +37,6 @@
* contributors.
*/
-#pragma ident "%Z%%M% %I% %E% SMI"
-
#include "rcv.h"
#ifndef preSVr4
#include <locale.h>
@@ -104,7 +102,6 @@ main(int argc, char **argv)
progname = argv[0];
if (progname[strlen(progname) - 1] != 'x') {
assign("bsdcompat", "");
- assign("escapeok", ""); /* XXX */
}
myegid = getegid();
myrgid = getgid();
diff --git a/usr/src/cmd/mailx/misc/mailx.rc b/usr/src/cmd/mailx/misc/mailx.rc
index d10391f433..a6dfa46fb2 100644
--- a/usr/src/cmd/mailx/misc/mailx.rc
+++ b/usr/src/cmd/mailx/misc/mailx.rc
@@ -21,8 +21,6 @@
# Copyright 2000 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
-# ident "%Z%%M% %I% %E% SMI"
-#
# The following 3 settings produce the familiar Solaris behavior.
set appenddeadletter
unset pipeignore
@@ -44,8 +42,6 @@ else
set LISTER="ls -LF"
# default is to allow editing of message windows
set editmessagewindow
- # have to allow ~ escapes even though not using tty
- set escapeok
endif
# most mail headers are uninteresting to most people. here we ignore all
diff --git a/usr/src/cmd/mailx/names.c b/usr/src/cmd/mailx/names.c
index 7616630f79..886eb2dbc5 100644
--- a/usr/src/cmd/mailx/names.c
+++ b/usr/src/cmd/mailx/names.c
@@ -191,7 +191,7 @@ outpre(struct name *to)
/*
* For each recipient in the passed name list with a /
* in the name, append the message to the end of the named file
- * and remove him from the recipient list.
+ * and remove them from the recipient list.
*
* Recipients whose name begins with | are piped through the given
* program and removed.
@@ -212,6 +212,9 @@ outof(struct name *names, FILE *fo)
char line[BUFSIZ];
#endif
+ if (value("expandaddr") == NOSTR)
+ return (nout);
+
for (np = names; np != NIL; np = np->n_flink) {
if (!isfileaddr(np->n_name) && np->n_name[0] != '|')
continue;
@@ -599,14 +602,15 @@ unpack(struct name *np)
panic("No names to unpack");
/*
- * Compute the number of extra arguments we will need.
- * We need at least 2 extra -- one for "mail" and one for
- * the terminating 0 pointer.
- * Additional spots may be needed to pass along -r and -f to
- * the host mailer.
+ * Compute the number of extra arguments we will need. We need at least
+ * 3 extra -- one for "mail", one for a terminating -- to stop sendmail
+ * option processing, and one for the terminating 0 pointer.
+ *
+ * Additional spots may be needed to pass along -r and -f to the host
+ * mailer.
*/
- extra = 2;
+ extra = 3;
if (rflag != NOSTR)
extra += 2;
@@ -636,6 +640,7 @@ unpack(struct name *np)
snprintf(hbuf, sizeof (hbuf), "%d", hflag);
*ap++ = savestr(hbuf);
}
+ *ap++ = "--";
while (n != NIL) {
if (n->n_type & GDEL) {
n = n->n_flink;