artulab
projects / openbsd / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 36dba03) | patch
less: escape newlines in file names
authortb <tb@openbsd.org>
Sun, 14 Apr 2024 08:34:00 +0000 (08:34 +0000)
committertb <tb@openbsd.org>
Sun, 14 Apr 2024 08:34:00 +0000 (08:34 +0000)
commitd00ecc6f354c0069a7823d1f3b23fd011ad4316f
tree48dfa2bdc472253cc5dd983e7c42ebd58e5ea5c3tree | snapshot
parent36dba039b91cf453f3b66c370c50b00c9aa5378ecommit | diff
less: escape newlines in file names

Newlines in a filename can lead to arbitrary code execution
https://marc.info/?l=oss-security&m=171292433330233&w=2
via LESSOPEN.  The diff is a straightforward adaptation of
https://github.com/gwsw/less/commit/007521ac3c95bc76

The better fix is deleting the misfeatures that are LESSOPEN
and LESSCLOSE which will happen in a separate commit.

diff looks good to guenther
usr.bin/less/filename.c diff | blob | history
OpenBSD src
by Ahmet Artu Yildirim