X-Git-Url: https://diplodocus.org/git/nmh/blobdiff_plain/16f84dac4d414312e41433f7ae74aecc45166806..4ac978448:/sbr/ruserpass.c?ds=sidebyside

diff --git a/sbr/ruserpass.c b/sbr/ruserpass.c
index f7f01792..43784d52 100644
--- a/sbr/ruserpass.c
+++ b/sbr/ruserpass.c
@@ -35,7 +35,7 @@ static FILE *cfile;
 #define	ID	10
 #define	MACH	11
 
-#define MAX_TOKVAL_SIZE 1024
+#define MAX_TOKVAL_SIZE 1024 /* Including terminating NUL. */
 
 struct toktab {
     char *tokstr;
@@ -107,8 +107,8 @@ ruserpass(const char *host, char **aname, char **apass, int flags)
 			    (stb.st_mode & 077) != 0) {
 			    /* We make this a fatal error to force the
 			       user to correct it. */
-			    advise(NULL, "Error - file %s must not be world or "
-				   "group readable.", credentials_file);
+                            advise(NULL, "group or other permissions, %#o, "
+                                "forbidden: %s", stb.st_mode, credentials_file);
 			    adios(NULL, "Remove password or correct file "
 				  "permissions.");
 			}
@@ -177,44 +177,47 @@ ruserpass(const char *host, char **aname, char **apass, int flags)
 static int
 token(char *tokval)
 {
-    char *cp;
     int c;
+    const char normalStop[] = "\t\n ,"; /* Each breaks a word. */
+    const char *stop;
+    char *cp;
     struct toktab *t;
 
-    if (feof(cfile))
+    if (feof(cfile) || ferror(cfile))
 	return TOK_EOF;
-    while ((c = getc(cfile)) != EOF &&
-	   (c == '\n' || c == '\t' || c == ' ' || c == ','))
-	continue;
+
+    stop = normalStop;
+    while ((c = getc(cfile)) != EOF && c && strchr(stop, c))
+        ;
     if (c == EOF)
 	return TOK_EOF;
+
     cp = tokval;
-    if (c == '"') {
-	while ((c = getc(cfile)) != EOF && c != '"') {
-	    if (c == '\\')
-		c = getc(cfile);
-	    *cp++ = c;
-            if (cp - tokval > MAX_TOKVAL_SIZE-1) {
-                adios(NULL, "credential tokens restricted to length %d",
-                      MAX_TOKVAL_SIZE - 1);
-            }
-	}
-    } else {
-	*cp++ = c;
-	while ((c = getc(cfile)) != EOF
-	       && c != '\n' && c != '\t' && c != ' ' && c != ',') {
-	    if (c == '\\')
-		c = getc(cfile);
-	    *cp++ = c;
-            if (cp - tokval > MAX_TOKVAL_SIZE-1) {
-                adios(NULL, "credential tokens restricted to length %d",
-                      MAX_TOKVAL_SIZE - 1);
-            }
-	}
+    if (c == '"')
+        /* FIXME: Where is the quoted-string syntax of netrc documented?
+         * This code treats Â«"foo""bar"Â» as two tokens without further
+         * separators. */
+        stop = "\"";
+    else
+        /* Might be backslash.  Get it again later.  It's handled then. */
+        if (ungetc(c, cfile) == EOF)
+            return TOK_EOF;
+
+    while ((c = getc(cfile)) != EOF && c && !strchr(stop, c)) {
+        if (c == '\\' && (c = getc(cfile)) == EOF)
+            return TOK_EOF; /* Discard whole token. */
+
+        *cp++ = c;
+        if (cp - tokval > MAX_TOKVAL_SIZE-1) {
+            adios(NULL, "credential tokens restricted to length %d",
+                  MAX_TOKVAL_SIZE - 1);
+        }
     }
-    *cp = 0;
+    *cp = '\0';
+
     for (t = toktabs; t->tokstr; t++)
 	if (!strcmp(t->tokstr, tokval))
 	    return (t->tval);
+
     return (ID);
 }