[VAR] Sanitise environment variable names on entry

On Tue, Feb 14, 2012 at 10:48:48AM +0000, harald@redhat.com wrote:
> 
> "export -p" prints all environment variables, without checking if the
> environment variable is a valid dash variable name.
> 
> IMHO, the only valid usecase for "export -p" is to eval the output.
> 
> $ eval $(export -p); echo OK
> OK
> 
> Without this patch the following test does error out with:
> 
> test.py:
> import os
> os.environ["test-test"]="test"
> os.environ["test_test"]="test"
> os.execv("./dash", [ './dash', '-c', 'eval $(export -p); echo OK' ])
> 
> $ python test.py
> ./dash: 1: export: test-test: bad variable name
> 
> Of course the results can be more evil, if the environment variable
> name is crafted, that it injects valid shell code.

This patch fixes the issue by sanitising all environment variable names
upon entry into the shell.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

1 files changed, 2 insertions, 1 deletions

diff --git a/src/var.c b/src/var.c
index 027beff..dc90249 100644
--- a/src/var.c
+++ b/src/var.c
@@ -136,7 +136,8 @@ INIT {
 
 	initvar();
 	for (envp = environ ; *envp ; envp++) {
-		if (strchr(*envp, '=')) {
+		p = endofname(*envp);
+		if (p != *envp && *p == '=') {
 			setvareq(*envp, VEXPORT|VTEXTFIXED);
 		}
 	}