ash: [VAR] Sanitise environment variable names on entry

Upstream commit:

    Date: Sat, 25 Feb 2012 15:35:18 +0800
    [VAR] Sanitise environment variable names on entry

    On Tue, Feb 14, 2012 at 10:48:48AM +0000, harald@redhat.com wrote:
    > "export -p" prints all environment variables, without checking if the
    > environment variable is a valid dash variable name.
    >
    > IMHO, the only valid usecase for "export -p" is to eval the output.
    >
    > $ eval $(export -p); echo OK
    > OK
    >
    > Without this patch the following test does error out with:
    >
    > test.py:
    > import os
    > os.environ["test-test"]="test"
    > os.environ["test_test"]="test"
    > os.execv("./dash", [ './dash', '-c', 'eval $(export -p); echo OK' ])
    >
    > $ python test.py
    > ./dash: 1: export: test-test: bad variable name
    >
    > Of course the results can be more evil, if the environment variable
    > name is crafted, that it injects valid shell code.

    This patch fixes the issue by sanitising all environment variable names
    upon entry into the shell.

    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

diff --git a/shell/ash.c b/shell/ash.c
index db943f6c78875041148679b345864c3a625098c9..59905aa7b028a604419952eb131f0e50cd400e99 100644 (file)
--- a/shell/ash.c
+++ b/shell/ash.c
@@ -13119,7 +13119,8 @@ init(void)
 
                initvar();
                for (envp = environ; envp && *envp; envp++) {
-                       if (strchr(*envp, '=')) {
+                       p = endofname(*envp);
+                       if (p != *envp && *p == '=') {
                                setvareq(*envp, VEXPORT|VTEXTFIXED);
                        }
                }