summaryrefslogtreecommitdiff
path: root/patches/source/bash/bash-4.1-patches/bash41-017
blob: 22a9336fd02f5eb76b929371cd976aea87903146 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
			     BASH PATCH REPORT
			     =================

Bash-Release:	4.1
Patch-ID:	bash41-017

Bug-Reported-by:	Michal Zalewski <lcamtuf@coredump.cx>
Bug-Reference-ID:
Bug-Reference-URL:

Bug-Description:

A combination of nested command substitutions and function importing from
the environment can cause bash to execute code appearing in the environment
variable value following the function definition.

Patch (apply with `patch -p0'):

*** ../bash-4.1.16/builtins/evalstring.c	2014-09-16 19:27:38.000000000 -0400
--- builtins/evalstring.c	2014-10-04 15:08:26.000000000 -0400
***************
*** 262,271 ****
  	      struct fd_bitmap *bitmap;
  
! 	      if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
  		{
! 		  internal_warning ("%s: ignoring function definition attempt", from_file);
! 		  should_jump_to_top_level = 0;
! 		  last_result = last_command_exit_value = EX_BADUSAGE;
! 		  break;
  		}
  
--- 262,284 ----
  	      struct fd_bitmap *bitmap;
  
! 	      if (flags & SEVAL_FUNCDEF)
  		{
! 		  char *x;
! 
! 		  /* If the command parses to something other than a straight
! 		     function definition, or if we have not consumed the entire
! 		     string, or if the parser has transformed the function
! 		     name (as parsing will if it begins or ends with shell
! 		     whitespace, for example), reject the attempt */
! 		  if (command->type != cm_function_def ||
! 		      ((x = parser_remaining_input ()) && *x) ||
! 		      (STREQ (from_file, command->value.Function_def->name->word) == 0))
! 		    {
! 		      internal_warning (_("%s: ignoring function definition attempt"), from_file);
! 		      should_jump_to_top_level = 0;
! 		      last_result = last_command_exit_value = EX_BADUSAGE;
! 		      reset_parser ();
! 		      break;
! 		    }
  		}
  
***************
*** 332,336 ****
  
  	      if (flags & SEVAL_ONECMD)
! 		break;
  	    }
  	}
--- 345,352 ----
  
  	      if (flags & SEVAL_ONECMD)
! 		{
! 		  reset_parser ();
! 		  break;
! 		}
  	    }
  	}
*** ../bash-4.1.16/parse.y	2014-09-30 19:36:03.000000000 -0400
--- parse.y	2014-10-04 15:08:26.000000000 -0400
***************
*** 2410,2413 ****
--- 2410,2423 ----
  }
  
+ char *
+ parser_remaining_input ()
+ {
+   if (shell_input_line == 0)
+     return 0;
+   if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len)
+     return '\0';	/* XXX */
+   return (shell_input_line + shell_input_line_index);
+ }
+ 
  #ifdef INCLUDE_UNUSED
  /* Back the input pointer up by one, effectively `ungetting' a character. */
***************
*** 3809,3814 ****
    restore_parser_state (&ps);
    reset_parser ();
!   if (interactive)
!     token_to_read = 0;
  
    /* Need to find how many characters parse_and_execute consumed, update
--- 3819,3824 ----
    restore_parser_state (&ps);
    reset_parser ();
! 
!   token_to_read = 0;
  
    /* Need to find how many characters parse_and_execute consumed, update
*** ../bash-4.1.16/shell.h	2009-08-14 16:32:52.000000000 -0400
--- shell.h	2014-10-04 15:08:26.000000000 -0400
***************
*** 164,167 ****
--- 164,169 ----
  
  /* Let's try declaring these here. */
+ extern char *parser_remaining_input __P((void));
+ 
  extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *));
  extern void restore_parser_state __P((sh_parser_state_t *));
*** ../bash-4.1-patched/patchlevel.h	2009-10-01 16:39:22.000000000 -0400
--- patchlevel.h	2010-01-14 09:38:08.000000000 -0500
***************
*** 26,30 ****
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 16
  
  #endif /* _PATCHLEVEL_H_ */
--- 26,30 ----
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 17
  
  #endif /* _PATCHLEVEL_H_ */