diff options
author | Stephane Chazelas <stephane.chazelas@gmail.com> | 2014-09-16 21:57:03 +0100 |
---|---|---|
committer | Paul Kocialkowski <contact@paulk.fr> | 2014-10-05 10:53:52 +0200 |
commit | 56e12157d93d9ccb4e1491443f10eb5f66c6471e (patch) | |
tree | c3e67538d1995ee5b54e89c786c9c07980ed07fc | |
parent | f4b417c62a4f272c4cf9a074d0f7a3a97201f9db (diff) | |
download | external_bash-56e12157d93d9ccb4e1491443f10eb5f66c6471e.zip external_bash-56e12157d93d9ccb4e1491443f10eb5f66c6471e.tar.gz external_bash-56e12157d93d9ccb4e1491443f10eb5f66c6471e.tar.bz2 |
Patch cve-2014-6271
Patch-ID: bash30-017
Under certain circumstances, bash will execute user code while processing the
environment for exported function definitions.
Change-Id: Iccac7b4ae914354978079783a9fe50b3b38ddad5
-rw-r--r-- | builtins/common.h | 2 | ||||
-rw-r--r-- | builtins/evalstring.c | 11 | ||||
-rw-r--r-- | variables.c | 14 |
3 files changed, 17 insertions, 10 deletions
diff --git a/builtins/common.h b/builtins/common.h index caeefea..d3df1b8 100644 --- a/builtins/common.h +++ b/builtins/common.h @@ -35,6 +35,8 @@ #define SEVAL_NOLONGJMP 0x040 /* Flags for describe_command, shared between type.def and command.def */ +#define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ +#define SEVAL_ONECMD 0x100 /* only allow a single command */ #define CDESC_ALL 0x001 /* type -a */ #define CDESC_SHORTDESC 0x002 /* command -V */ #define CDESC_REUSABLE 0x004 /* command -v */ diff --git a/builtins/evalstring.c b/builtins/evalstring.c index 333a56e..61f57fc 100644 --- a/builtins/evalstring.c +++ b/builtins/evalstring.c @@ -261,6 +261,14 @@ parse_and_execute (string, from_file, flags) { struct fd_bitmap *bitmap; + if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) + { + internal_warning ("%s: ignoring function definition attempt", from_file); + should_jump_to_top_level = 0; + last_result = last_command_exit_value = EX_BADUSAGE; + break; + } + bitmap = new_fd_bitmap (FD_BITMAP_SIZE); begin_unwind_frame ("pe_dispose"); add_unwind_protect (dispose_fd_bitmap, bitmap); @@ -321,6 +329,9 @@ parse_and_execute (string, from_file, flags) dispose_command (command); dispose_fd_bitmap (bitmap); discard_unwind_frame ("pe_dispose"); + + if (flags & SEVAL_ONECMD) + break; } } else diff --git a/variables.c b/variables.c index cbb89c2..6b8ead1 100644 --- a/variables.c +++ b/variables.c @@ -347,12 +347,10 @@ initialize_shell_variables (env, privmode) temp_string[char_index] = ' '; strcpy (temp_string + char_index + 1, string); - parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); - - /* Ancient backwards compatibility. Old versions of bash exported - functions like name()=() {...} */ - if (name[char_index - 1] == ')' && name[char_index - 2] == '(') - name[char_index - 2] = '\0'; + /* Don't import function names that are invalid identifiers from the + environment. */ + if (legal_identifier (name)) + parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); if (temp_var = find_function (name)) { @@ -361,10 +359,6 @@ initialize_shell_variables (env, privmode) } else report_error (_("error importing function definition for `%s'"), name); - - /* ( */ - if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') - name[char_index - 2] = '('; /* ) */ } #if defined (ARRAY_VARS) # if 0 |