From 47cf35e2342f32149ba608851c4a514758447944 Mon Sep 17 00:00:00 2001 From: Tom Ryder Date: Thu, 11 Jan 2018 19:18:05 +1300 Subject: Make first ax(1df) arg safer, warn on second arg The format in the first argument does not need to be evaluated, so it can be passed in a simple awk variable. The second argument is evaluated, by design, so code injection is trivial. It's probably a good idea to warn users about this explicitly. $ ax '0);system("cat /etc/passwd")' Make the whole thing a little terser, too, with the awk program construction, variable assignment, and invocation all on one line. --- man/man1/ax.1df | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'man/man1/ax.1df') diff --git a/man/man1/ax.1df b/man/man1/ax.1df index b3218d37..ffdaabe3 100644 --- a/man/man1/ax.1df +++ b/man/man1/ax.1df @@ -1,4 +1,4 @@ -.TH AX 1df "July 2016" "Manual page for ax" +.TH AX 1df "January 2018" "Manual page for ax" .SH NAME .B ax \- evaluate an awk expression @@ -11,5 +11,9 @@ evaluates an expression given on the command line with awk(1) and prints its result using awk's printf, with an optional format specified preceding the expression. +.SH SECURITY +Note that the second argument has no evaluation protection on it. There's very +little to stop a user putting a fully-fledged awk program in as the second +argument if they needed to. Don't accept untrusted user input in this argument! .SH AUTHOR Tom Ryder -- cgit v1.2.3 From d371bf4dc33e243673147cb28770de252b5759db Mon Sep 17 00:00:00 2001 From: Tom Ryder Date: Thu, 11 Jan 2018 19:21:21 +1300 Subject: Make newline explicit for ax(1df) This makes it a little more flexible, if you genuinely don't want a newline in the output. --- man/man1/ax.1df | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'man/man1/ax.1df') diff --git a/man/man1/ax.1df b/man/man1/ax.1df index ffdaabe3..a1513e06 100644 --- a/man/man1/ax.1df +++ b/man/man1/ax.1df @@ -5,7 +5,7 @@ .SH SYNOPSIS .B ax '2.0+3.0' .br -.B ax %.2f 'sin(2)' +.B ax '%.2f\n' 'sin(2)' .SH DESCRIPTION .B ax evaluates an expression given on the command line with awk(1) and prints its -- cgit v1.2.3 From 345d5179236da579bed62a13a36bd34f86e09704 Mon Sep 17 00:00:00 2001 From: Tom Ryder Date: Thu, 11 Jan 2018 19:22:00 +1300 Subject: Separate ax(1df) manpage args from command Just for a clearer visual distinction. This probably needs to be done for other manual pages, too. We use zero-width characters (\&) at the start of the lines beginning with apostrophes so that they get printed literally. --- man/man1/ax.1df | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'man/man1/ax.1df') diff --git a/man/man1/ax.1df b/man/man1/ax.1df index a1513e06..40125167 100644 --- a/man/man1/ax.1df +++ b/man/man1/ax.1df @@ -3,9 +3,11 @@ .B ax \- evaluate an awk expression .SH SYNOPSIS -.B ax '2.0+3.0' +.B ax +\&'2.0+3.0' .br -.B ax '%.2f\n' 'sin(2)' +.B ax +\&'%.2f\\n' 'sin(2)' .SH DESCRIPTION .B ax evaluates an expression given on the command line with awk(1) and prints its -- cgit v1.2.3