summaryrefslogtreecommitdiffstats
path: root/patches/source/bash/bash-4.2-patches/bash42-053
blob: cffd622faaef0baee2a6891cc52427b2da465914 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
			     BASH PATCH REPORT
			     =================

Bash-Release:	4.2
Patch-ID:	bash42-053

Bug-Reported-by:	Michal Zalewski <lcamtuf@coredump.cx>
Bug-Reference-ID:
Bug-Reference-URL:

Bug-Description:

A combination of nested command substitutions and function importing from
the environment can cause bash to execute code appearing in the environment
variable value following the function definition.

Patch (apply with `patch -p0'):

*** ../bash-4.2.52/builtins/evalstring.c	2014-09-16 19:35:45.000000000 -0400
--- builtins/evalstring.c	2014-10-04 15:00:26.000000000 -0400
***************
*** 262,271 ****
  	      struct fd_bitmap *bitmap;
  
! 	      if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
  		{
! 		  internal_warning ("%s: ignoring function definition attempt", from_file);
! 		  should_jump_to_top_level = 0;
! 		  last_result = last_command_exit_value = EX_BADUSAGE;
! 		  break;
  		}
  
--- 262,284 ----
  	      struct fd_bitmap *bitmap;
  
! 	      if (flags & SEVAL_FUNCDEF)
  		{
! 		  char *x;
! 
! 		  /* If the command parses to something other than a straight
! 		     function definition, or if we have not consumed the entire
! 		     string, or if the parser has transformed the function
! 		     name (as parsing will if it begins or ends with shell
! 		     whitespace, for example), reject the attempt */
! 		  if (command->type != cm_function_def ||
! 		      ((x = parser_remaining_input ()) && *x) ||
! 		      (STREQ (from_file, command->value.Function_def->name->word) == 0))
! 		    {
! 		      internal_warning (_("%s: ignoring function definition attempt"), from_file);
! 		      should_jump_to_top_level = 0;
! 		      last_result = last_command_exit_value = EX_BADUSAGE;
! 		      reset_parser ();
! 		      break;
! 		    }
  		}
  
***************
*** 332,336 ****
  
  	      if (flags & SEVAL_ONECMD)
! 		break;
  	    }
  	}
--- 345,352 ----
  
  	      if (flags & SEVAL_ONECMD)
! 		{
! 		  reset_parser ();
! 		  break;
! 		}
  	    }
  	}
*** ../bash-4.2.52/parse.y	2014-09-30 19:24:19.000000000 -0400
--- parse.y	2014-10-04 15:00:26.000000000 -0400
***************
*** 2436,2439 ****
--- 2436,2449 ----
  }
  
+ char *
+ parser_remaining_input ()
+ {
+   if (shell_input_line == 0)
+     return 0;
+   if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len)
+     return '\0';	/* XXX */
+   return (shell_input_line + shell_input_line_index);
+ }
+ 
  #ifdef INCLUDE_UNUSED
  /* Back the input pointer up by one, effectively `ungetting' a character. */
***************
*** 3891,3896 ****
    /* reset_parser clears shell_input_line and associated variables */
    restore_input_line_state (&ls);
!   if (interactive)
!     token_to_read = 0;
  
    /* Need to find how many characters parse_and_execute consumed, update
--- 3901,3906 ----
    /* reset_parser clears shell_input_line and associated variables */
    restore_input_line_state (&ls);
! 
!   token_to_read = 0;
  
    /* Need to find how many characters parse_and_execute consumed, update
*** ../bash-4.2.52/shell.h	2011-11-21 18:03:32.000000000 -0500
--- shell.h	2014-10-04 15:00:26.000000000 -0400
***************
*** 178,181 ****
--- 178,183 ----
  
  /* Let's try declaring these here. */
+ extern char *parser_remaining_input __P((void));
+ 
  extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *));
  extern void restore_parser_state __P((sh_parser_state_t *));
*** ../bash-4.2-patched/patchlevel.h	Sat Jun 12 20:14:48 2010
--- patchlevel.h	Thu Feb 24 21:41:34 2011
***************
*** 26,30 ****
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 52
  
  #endif /* _PATCHLEVEL_H_ */
--- 26,30 ----
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 53
  
  #endif /* _PATCHLEVEL_H_ */