EDITOR may contain shell code, so exec a shell to run it

This commit is contained in:
Geir Hauge 2012-12-11 14:48:27 +00:00
parent c2c0659bc8
commit dca812bd27

View File

@ -363,6 +363,7 @@ editperm(MYSQL *pmysql, const char *db)
char fn[] = "/tmp/mysql-dbadm.tmp.XXXXXX";
FILE *f;
char *editor;
char *cmd;
char line[1024]; /* buffer to hold one line */
char *cp; /* used to interate through a line */
char *user, *select_priv, *insert_priv, *update_priv, *delete_priv,
@ -418,7 +419,11 @@ editperm(MYSQL *pmysql, const char *db)
if (!editor)
editor = "pico"; /* OK since editor won't be freed */
execlp(editor, editor, fn, NULL);
cmd = malloc(sizeof(char) * strlen(editor) + 7);
sprintf(cmd, "%s \"$1\"", editor);
/* sh -c '$EDITOR "$1"' sh "$fn" */
execlp("sh", "sh", "-c", cmd, "sh", fn, NULL);
perror("Failed to execute editor");
fprintf(stderr, "Make sure the EDITOR environment variable contains"
" a valid editor\n");