Escape $ in page names when constructing less prompts

Fixes Debian bug #1021951.

* include/manconfig.h (LESS_OPTS): Add `--use-backslash`.
* src/man.c (escape_less): Also escape `$` characters.
* NEWS.md: Document this.

3 files changed, 13 insertions, 6 deletions

diff --git a/NEWS.md b/NEWS.md
index b88cd233..fc1a3c80 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -1,3 +1,11 @@
+man-db 2.11.1
+=============
+
+Fixes:
+
+ * SECURITY: Escape `$` characters in page names when constructing `less`
+   prompts.  Note that this requires `less` >= 457 (released in 2012).
+
 man-db 2.11.0 (15 October 2022)
 ===============================
 
diff --git a/include/manconfig.h b/include/manconfig.h
index 0baa4412..4f2caea5 100644
--- a/include/manconfig.h
+++ b/include/manconfig.h
@@ -105,11 +105,14 @@
  *                (R)aw control chars (but keep track of screen appearance)
  *                (m)ore display style
  *
+ * The --use-backslash option allows escaping dollar signs safely in
+ * prompts, though requires less >= 457 (released in 2012).
+ *
  * If you change this, be sure to match the format with
  * man.c:make_display_command().
  */
 
-#define LESS_OPTS	"-ix8RmPm%s$PM%s$"
+#define LESS_OPTS	"--use-backslash -ix8RmPm%s$PM%s$"
 
 /* This is a minimal latin1 special characters to ascii translation table */
 #if !defined(TR_SET1) || !defined(TR_SET2)
diff --git a/src/man.c b/src/man.c
index 43bf15d1..7bf1dd34 100644
--- a/src/man.c
+++ b/src/man.c
@@ -873,11 +873,7 @@ static const char *escape_less (const char *string)
 					 2 * strlen (string) + 1);
 
 	while (*string) {
-		if (*string == '?' ||
-		    *string == ':' ||
-		    *string == '.' ||
-		    *string == '%' ||
-		    *string == '\\')
+		if (strchr ("?:.%\\$", *string))
 			*ptr++ = '\\';
 
 		*ptr++ = *string++;