From 56e12157d93d9ccb4e1491443f10eb5f66c6471e Mon Sep 17 00:00:00 2001
From: Stephane Chazelas <stephane.chazelas@gmail.com>
Date: Tue, 16 Sep 2014 21:57:03 +0100
Subject: Patch cve-2014-6271

Patch-ID: bash30-017
Under certain circumstances, bash will execute user code while processing the
environment for exported function definitions.

Change-Id: Iccac7b4ae914354978079783a9fe50b3b38ddad5
---
 variables.c | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

(limited to 'variables.c')

diff --git a/variables.c b/variables.c
index cbb89c2..6b8ead1 100644
--- a/variables.c
+++ b/variables.c
@@ -347,12 +347,10 @@ initialize_shell_variables (env, privmode)
 	  temp_string[char_index] = ' ';
 	  strcpy (temp_string + char_index + 1, string);
 
-	  parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
-
-	  /* Ancient backwards compatibility.  Old versions of bash exported
-	     functions like name()=() {...} */
-	  if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
-	    name[char_index - 2] = '\0';
+	  /* Don't import function names that are invalid identifiers from the
+	     environment. */
+	  if (legal_identifier (name))
+	    parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
 
 	  if (temp_var = find_function (name))
 	    {
@@ -361,10 +359,6 @@ initialize_shell_variables (env, privmode)
 	    }
 	  else
 	    report_error (_("error importing function definition for `%s'"), name);
-
-	  /* ( */
-	  if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
-	    name[char_index - 2] = '(';		/* ) */
 	}
 #if defined (ARRAY_VARS)
 #  if 0
-- 
cgit v1.1