diff options
author | Colin Watson <cjwatson@debian.org> | 2022-10-18 00:09:40 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2022-10-18 00:09:40 +0100 |
commit | 09304c00a4a3dea95da5d1f0aa1ad4c20c292f3b (patch) | |
tree | d19280bca053959aa6f8778a5cb25dd420423dc3 | |
parent | fba1f23672e534ca4bb4d61baf5fb28e9ee5a9da (diff) |
Escape $ in page names when constructing less prompts
Fixes Debian bug #1021951.
* include/manconfig.h (LESS_OPTS): Add `--use-backslash`.
* src/man.c (escape_less): Also escape `$` characters.
* NEWS.md: Document this.
-rw-r--r-- | NEWS.md | 8 | ||||
-rw-r--r-- | include/manconfig.h | 5 | ||||
-rw-r--r-- | src/man.c | 6 |
3 files changed, 13 insertions, 6 deletions
@@ -1,3 +1,11 @@ +man-db 2.11.1 +============= + +Fixes: + + * SECURITY: Escape `$` characters in page names when constructing `less` + prompts. Note that this requires `less` >= 457 (released in 2012). + man-db 2.11.0 (15 October 2022) =============================== diff --git a/include/manconfig.h b/include/manconfig.h index 0baa4412..4f2caea5 100644 --- a/include/manconfig.h +++ b/include/manconfig.h @@ -105,11 +105,14 @@ * (R)aw control chars (but keep track of screen appearance) * (m)ore display style * + * The --use-backslash option allows escaping dollar signs safely in + * prompts, though requires less >= 457 (released in 2012). + * * If you change this, be sure to match the format with * man.c:make_display_command(). */ -#define LESS_OPTS "-ix8RmPm%s$PM%s$" +#define LESS_OPTS "--use-backslash -ix8RmPm%s$PM%s$" /* This is a minimal latin1 special characters to ascii translation table */ #if !defined(TR_SET1) || !defined(TR_SET2) @@ -873,11 +873,7 @@ static const char *escape_less (const char *string) 2 * strlen (string) + 1); while (*string) { - if (*string == '?' || - *string == ':' || - *string == '.' || - *string == '%' || - *string == '\\') + if (strchr ("?:.%\\$", *string)) *ptr++ = '\\'; *ptr++ = *string++; |