Don't import/export readonly attribute via magic A__z env var

While automagically importing/exporting ksh variable attributes via the environment is probably a misfeature in general (now disabled for POSIX standard mode), doing so with the readonly attribute is particularly problematic. Scripts can take into account the possibility of importing unwanted attributes by unsetting or typesetting variables before using them. But there is no way for a script to get rid of an unwanted imported readonly variable. This is a possible attack vector with no possible mitigation. This commit blocks both the import and the export of the readonly attribute through the environment. I consider it a security fix. src/cmd/ksh93/sh/init.c: env_import_attributes(): - Clear NV_RDONLY from imported attributes before applying them. src/cmd/ksh93/sh/name.c: sh_envgen(): - Remove NV_RDONLY from bitmask defining attributes to export.
2025-02-15 04:32:24 +00:00 · 2021-04-21 03:56:03 +01:00 · 2021-04-21 03:56:03 +01:00 · 7954855f21
commit 7954855f21
parent f28bce61a7
4 changed files with 10 additions and 1 deletions
--- a/3
+++ b/3
@ -12,6 +12,9 @@ Any uppercase BUG_* names are modernish shell bug IDs.
  3. The -c/--call, -n/--name and -s/--standard options matched all variable
     names provided by 'getconf -a', even if none were actual matches.

+- The readonly attribute of ksh variables is no longer imported from
+  or exported to other ksh shell instances through the environment.
+
 2021-04-16:

 - Fixed a bug in emacs mode: after using tab completion to complete the name
--- a/src/cmd/ksh93/COMPATIBILITY
+++ b/src/cmd/ksh93/COMPATIBILITY
@ -129,6 +129,9 @@ For more details, see the NEWS file and for complete details, see the git log.
 	To invoke a possible external command at that path, you can still use
 	a non-canonical path, e.g.: /opt//ast/bin/cat or /opt/ast/./bin/cat

+24.	The readonly attribute of ksh variables is no longer imported from
+	or exported to other ksh shell instances through the environment.
+
 ____________________________________________________________________________

 		KSH-93 VS. KSH-88
--- a/src/cmd/ksh93/sh/init.c
+++ b/src/cmd/ksh93/sh/init.c
@ -1986,6 +1986,9 @@ static void env_import_attributes(Shell_t *shp, char *next)
 					size--;
 				}
 			}
+			flag &= ~NV_RDONLY;	/* refuse to import readonly attribute */
+			if(!flag)
+				continue;
 			nv_newattr(np,flag|NV_IMPORT|NV_EXPORT,size);
 		}
 	}
--- a/src/cmd/ksh93/sh/name.c
+++ b/src/cmd/ksh93/sh/name.c
@ -2241,7 +2241,7 @@ char **sh_envgen(void)
 	/* Export variable attributes into env var named by e_envmarker, unless POSIX mode is on */
 	cp = data.attval = strcopy(*data.argnam,e_envmarker);
 	if(!sh_isoption(SH_POSIX))
-		nv_scan(shp->var_tree, attstore,&data,0,(NV_RDONLY|NV_UTOL|NV_LTOU|NV_RJUST|NV_LJUST|NV_ZFILL|NV_INTEGER));
+		nv_scan(shp->var_tree, attstore,&data,0,(NV_UTOL|NV_LTOU|NV_RJUST|NV_LJUST|NV_ZFILL|NV_INTEGER));
 	*data.attval = 0;
 	if(cp!=data.attval)
 		data.argnam++;