diff options
| author | Colin Watson <cjwatson@debian.org> | 2022-11-05 12:40:53 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2022-11-05 12:40:53 +0000 |
| commit | 0d80ec4d5c987acb502a7787240f56e3cec65497 (patch) | |
| tree | f833edbe27f9f9691703caf3df1f6060b5420dda | |
| parent | 8f12d39bbb6748a1257358269028ef919f9c92e6 (diff) | |
Replace $ in page names rather than trying to escape it
Jakub Wilk points out in Debian bug #1021951 that attempting to use the
`--use-backslash` option has a number of complications. Just replace
dollar signs with question marks instead.
* include/manconfig.h (LESS_OPTS): Revert addition of `--use-backslash`.
* src/man.c: Replace `$` characters with `?` rather than trying to
escape them.
* NEWS.md: Document this.
| -rw-r--r-- | NEWS.md | 4 | ||||
| -rw-r--r-- | include/manconfig.h | 5 | ||||
| -rw-r--r-- | src/man.c | 14 |
3 files changed, 15 insertions, 8 deletions
@@ -3,8 +3,8 @@ man-db 2.11.1 Fixes: - * SECURITY: Escape `$` characters in page names when constructing `less` - prompts. Note that this requires `less` >= 457 (released in 2012). + * SECURITY: Replace `$` characters in page names with `?` when constructing + `less` prompts. * Silence error message when processing an empty manual page hierarchy with a nonexistent cache directory. * `man(1)` now sorts whatis references below real pages, even if the whatis diff --git a/include/manconfig.h b/include/manconfig.h index 8de135f9..5c2c3189 100644 --- a/include/manconfig.h +++ b/include/manconfig.h @@ -106,14 +106,11 @@ * (R)aw control chars (but keep track of screen appearance) * (m)ore display style * - * The --use-backslash option allows escaping dollar signs safely in - * prompts, though requires less >= 457 (released in 2012). - * * If you change this, be sure to match the format with * man.c:make_display_command(). */ -#define LESS_OPTS "--use-backslash -ix8RmPm%s$PM%s$" +#define LESS_OPTS "-ix8RmPm%s$PM%s$" /* This is a minimal latin1 special characters to ascii translation table */ #if !defined(TR_SET1) || !defined(TR_SET2) @@ -873,10 +873,20 @@ static const char *escape_less (const char *string) 2 * strlen (string) + 1); while (*string) { - if (strchr ("?:.%\\$", *string)) + char c = *string++; + + if (c == '$') + /* Dollar signs are difficult to handle properly, and + * not really worth the trouble, so just replace them + * with question marks. See + * https://bugs.debian.org/1021951. + */ + c = '?'; + + if (strchr ("?:.%\\", c)) *ptr++ = '\\'; - *ptr++ = *string++; + *ptr++ = c; } *ptr = *string; |