From aedba1a35eab0e795ce8bc54ad0be75390cb512b Mon Sep 17 00:00:00 2001
From: Ed Maste <emaste@FreeBSD.org>
Date: Sat, 19 Aug 2017 00:32:26 +0000
Subject: pw useradd: Validate the user name before creating the entry

Previouly it was possible to create users with spaces in the name with:
pw useradd -u 1234 -g 1234 -n 'test user'

The "-g 1234" is relevant, without it the name was already rejected
as expected:

[fk@test ~]$ sudo pw useradd -u 1234 -n 'test user'
pw: invalid character ` ' at position 4 in userid/group name

Bug unintentionally found with a salt config without explicit name entry:

test user:
  user.present:
    - uid: 1234
    - gid: 1234
    - fullname: Test user
    - shell: /usr/local/bin/bash
    - home: /home/test
    - groups:
      - wheel
      - salt

"Luckily" salt modules rarely bother with input validation either ...

PR:		221416
Submitted by:	Fabian Keil
Obtained from:	ElectroBSD
MFC after:	1 week
---
 pw/tests/pw_useradd_test.sh | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

(limited to 'pw/tests/pw_useradd_test.sh')

diff --git a/pw/tests/pw_useradd_test.sh b/pw/tests/pw_useradd_test.sh
index d14e4dd..1a1c7d3 100755
--- a/pw/tests/pw_useradd_test.sh
+++ b/pw/tests/pw_useradd_test.sh
@@ -176,6 +176,43 @@ user_add_name_too_long_body() {
 		${PW} useradd name_very_vert_very_very_very_long
 }
 
+atf_test_case user_add_name_with_spaces
+user_add_name_with_spaces_body() {
+	populate_etc_skel
+	atf_check -s exit:65 -e match:"invalid character" \
+		  ${PW} useradd 'test user'
+	atf_check -s exit:1 -o empty grep "^test user:.*" $HOME/master.passwd
+	# Try again with -n which uses a slightly different code path.
+	atf_check -s exit:65 -e match:"invalid character" \
+		  ${PW} useradd -n 'test user'
+	atf_check -s exit:1 -o empty grep "^test user:.*" $HOME/master.passwd
+}
+
+atf_test_case user_add_name_with_spaces_and_gid_specified
+user_add_name_with_spaces_and_gid_specified_body() {
+	populate_etc_skel
+	gid=12345
+	user_name="test user"
+	# pw useradd should fail because of the space in the user
+	# name, not because the group doesn't exist.
+	atf_check -s exit:65 -e match:"invalid character" \
+		  ${PW} useradd "${user_name}" -g ${gid}
+	atf_check -s exit:1 -o empty grep "^${user_name}:.*" $HOME/master.passwd
+	# Try again with -n which uses a slightly different code path.
+	atf_check -s exit:65 -e match:"invalid character" \
+		  ${PW} useradd -n "${user_name}" -g ${gid}
+	atf_check -s exit:1 -o empty grep "^${user_name}:.*" $HOME/master.passwd
+	# Make sure the user isn't added even if the group exists
+	atf_check -s exit:0 ${PW} groupadd blafasel -g ${gid}
+	atf_check -s exit:65 -e match:"invalid character" \
+		  ${PW} useradd "${user_name}" -g ${gid}
+	atf_check -s exit:1 -o empty grep "^${user_name}:.*" $HOME/master.passwd
+	# Try again with the -n option.
+	atf_check -s exit:65 -e match:"invalid character" \
+		  ${PW} useradd -n "${user_name}" -g ${gid}
+	atf_check -s exit:1 -o empty grep "^${user_name}:.*" $HOME/master.passwd
+}
+
 atf_test_case user_add_expiration
 user_add_expiration_body() {
 	populate_etc_skel
@@ -415,6 +452,8 @@ atf_init_test_cases() {
 	atf_add_test_case user_add_password_expiration_date_month
 	atf_add_test_case user_add_password_expiration_date_relative
 	atf_add_test_case user_add_name_too_long
+	atf_add_test_case user_add_name_with_spaces
+	atf_add_test_case user_add_name_with_spaces_and_gid_specified
 	atf_add_test_case user_add_expiration
 	atf_add_test_case user_add_invalid_user_entry
 	atf_add_test_case user_add_invalid_group_entry
-- 
cgit v1.2.3-56-ge451