diff options
author | Joey Hess <joeyh@joeyh.name> | 2021-09-28 08:12:42 -0400 |
---|---|---|
committer | Joey Hess <joeyh@joeyh.name> | 2021-09-28 08:12:42 -0400 |
commit | f4a811d0a1fafb3d7b0e7f514d85916ae3933942 (patch) | |
tree | 6518039d2c02503f4b087125bc9bdc5c98c82088 | |
parent | 6140dbc815ef70b11982ff1ed7b3885426e30dda (diff) | |
download | moreutils-f4a811d0a1fafb3d7b0e7f514d85916ae3933942.tar.gz |
ifne.1: Improve example that pipes to mail to avoid escape sequences
As recently seen in fail2ban's security hole (CVE-2021-32749),
piping user controlled input to mail is exploitable,
since a line starting with "~! foo" in the input will run command foo.
A core file named like that is not impossible, so guard against it in this
example.
Sponsored-by: Jack Hill on Patreon
-rw-r--r-- | debian/changelog | 2 | ||||
-rw-r--r-- | ifne.docbook | 2 |
2 files changed, 3 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog index 8ffb404..efaeaee 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,8 @@ moreutils (0.67) UNRELEASED; urgency=medium * Makefile: Install man pages without executable bit. Thanks, meator + * ifne.1: Improve example that pipes to mail to avoid escape + sequences. -- Joey Hess <id@joeyh.name> Sun, 19 Sep 2021 09:30:45 -0400 diff --git a/ifne.docbook b/ifne.docbook index e9c4569..2dbf215 100644 --- a/ifne.docbook +++ b/ifne.docbook @@ -79,7 +79,7 @@ with this program; if not, write to the Free Software Foundation, Inc., <refsect1> <title>EXAMPLE</title> <cmdsynopsis> - <command>find . -name core | ifne mail -s "Core files found" root</command> + <command>find . -name core | ifne mail -E 'set escape' -s "Core files found" root</command> </cmdsynopsis> </refsect1> |