Skip to content

Instantly share code, notes, and snippets.

@ss23
Last active August 29, 2015 14:10
Show Gist options
  • Save ss23/8d70d4363532ba7c9153 to your computer and use it in GitHub Desktop.
Save ss23/8d70d4363532ba7c9153 to your computer and use it in GitHub Desktop.
/**
* This routine is unnecessary, but people ask for such things.
*
* Maybe man is suid or sgid to some user that owns the cat directories.
* Maybe NLSPATH can be manipulated by the user - even though
* modern glibc avoids using environment variables when the
* program is suid or sgid.
* So, maybe the string s that we are returning was user invented
* and we have to avoid %n and the like.
*
* As a random hack, only allow %s,%d,%o, and only two %-signs.
*/
static int
is_suspect (char *s) {
int ct = 0;
while (*s) {
if (*s++ == '%') {
ct++;
if (*s != 's' && *s != 'd' && *s != 'o')
return 1;
}
}
return (ct > 2);
}
static char *
getmsg (int n) {
char *s = "";
catinit ();
if (catfd != (nl_catd) -1) {
s = catgets(catfd, 1, n, "");
if (*s && is_suspect(s))
s = "";
}
if (*s == 0 && 0 < n && n <= MAXMSG)
s = msg[n];
if (*s == 0) {
fprintf(stderr,
"man: internal error - cannot find message %d\n", n);
exit (1);
}
return s;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment