Package: shadow / 1:4.2-3+deb8u4

523_su_arguments_are_concatenated Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Goal: Concatenate the non-su arguments and provide them to the shell with
      the -c option
Fixes: #317264
       see also #276419

Status wrt upstream: This is a Debian specific patch.

Note: the fix of the man page is still missing.
      (to be taken from the trunk)

--- a/src/su.c
+++ b/src/su.c
@@ -1167,6 +1167,35 @@
 			argv[0] = "-c";
 			argv[1] = command;
 		}
+		/* On Debian, the arguments are concatenated and the
+		 * resulting string is always given to the shell with its
+		 * -c option.
+		 */
+		{
+			char **parg;
+			unsigned int cmd_len = 0;
+			char *cmd = NULL;
+			if (strcmp(argv[0], "-c") != 0) {
+				argv--;
+				argv[0] = "-c";
+			}
+			/* Now argv[0] is always -c, and other arguments
+			 * can be concatenated
+			 */
+			cmd_len = 1; /* finale '\0' */
+			for (parg = &argv[1]; *parg; parg++) {
+				cmd_len += strlen (*parg) + 1;
+			}
+			cmd = (char *) xmalloc (sizeof (char) * cmd_len);
+			cmd[0] = '\0';
+			for (parg = &argv[1]; *parg; parg++) {
+				strcat (cmd, " ");
+				strcat (cmd, *parg);
+			}
+			cmd[cmd_len - 1] = '\0';
+			argv[1] = &cmd[1]; /* do not take first space */
+			argv[2] = NULL;
+		}
 		/*
 		 * Use the shell and create an argv
 		 * with the rest of the command line included.