external/cde
1
0
Fork 0
mirror of git://git.code.sf.net/p/cdesktopenv/code synced 2025-02-13 19:52:20 +00:00
Code Issues Releases Wiki Activity

init: Refuse to import $KSH_VERSION from environment

Browse source 
$KSH_VERSION is initialised as a nameref to ${.sh.version}, but it
was not realiable as it could be overridden from the environment.
Some scripts do version checking so this would allow influencing
their execution.

This fix is inspired by the following Solaris patch:
https://github.com/oracle/solaris-userland/blob/master/components/ksh93/patches/200-17435456.patch
but a different approach was needed, because the code has changed
(see 960a1a99).

src/cmd/ksh93/sh/init.c: env_init():
- Refuse to import $KSH_VERSION. Using strncmp(3) might be crude,
  but it's effective and I can't figure out another way.
This commit is contained in:
Martijn Dekker 2021-01-08 21:59:30 +00:00
parent 13e7b26202
commit 86fc4c6d0a
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/cmd/ksh93/sh/init.c
View file

@ -1911,6 +1911,8 @@ static char *env_init(Shell_t *shp)
/* The magic A__z env var is an invention of ksh88. See e_envmarker[]. */
if(*cp=='A' && cp[1]=='_' && cp[2]=='_' && cp[3]=='z' && cp[4]=='=')
next = cp + 4;
else if(strncmp(cp,"KSH_VERSION=",12)==0)
continue;
else if(np = nv_open(cp,shp->var_tree,(NV_EXPORT|NV_IDENT|NV_ASSIGN|NV_NOFAIL)))
{
nv_onattr(np,NV_IMPORT);