diff options
author | Daniel Golle <daniel@makrotopia.org> | 2018-02-12 23:36:54 +0100 |
---|---|---|
committer | Daniel Golle <daniel@makrotopia.org> | 2018-02-13 00:01:44 +0100 |
commit | 267873ac9b9e5565f1f1550c931c413f5b5dda9d (patch) | |
tree | c0106de9dcadc57b5386b1e732d14866057343ab | |
parent | 49d3c5f057768cfc6e0545267256c64baf19a4e2 (diff) | |
download | upstream-267873ac9b9e5565f1f1550c931c413f5b5dda9d.tar.gz upstream-267873ac9b9e5565f1f1550c931c413f5b5dda9d.tar.bz2 upstream-267873ac9b9e5565f1f1550c931c413f5b5dda9d.zip |
base-files: don't evaluate block-device uevent
Current code and also before commit da52dd0c83 was vulnerable to shell
injection using volume lables in the GPT partition table of block
devices. Given that partition names can be freely defined in GPT tables
we really shouldn't evaluate a string which is potentially crafted with
evil intentions. Hence rather use `export -n` to absorb the uevent's
variables into the environment.
Fixes commit da52dd0c83 (base-files: quote values when evaluating uevent)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[mschiffer@universe-factory.net: suggested export -n usage]
-rw-r--r-- | package/base-files/files/lib/upgrade/common.sh | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/package/base-files/files/lib/upgrade/common.sh b/package/base-files/files/lib/upgrade/common.sh index 616131c89c..5f5c9dc8a3 100644 --- a/package/base-files/files/lib/upgrade/common.sh +++ b/package/base-files/files/lib/upgrade/common.sh @@ -101,7 +101,7 @@ get_magic_long() { } export_bootdevice() { - local cmdline uuid disk uevent + local cmdline uuid disk uevent line local MAJOR MINOR DEVNAME DEVTYPE if read cmdline < /proc/cmdline; then @@ -134,7 +134,9 @@ export_bootdevice() { esac if [ -e "$uevent" ]; then - eval "$(sed "s/=\(.*\)/=\'\1\'/" < "$uevent")" + while read line; do + export -n "$line" + done < "$uevent" export BOOTDEV_MAJOR=$MAJOR export BOOTDEV_MINOR=$MINOR return 0 @@ -146,10 +148,12 @@ export_bootdevice() { export_partdevice() { local var="$1" offset="$2" - local uevent MAJOR MINOR DEVNAME DEVTYPE + local uevent line MAJOR MINOR DEVNAME DEVTYPE for uevent in /sys/class/block/*/uevent; do - eval "$(sed "s/=\(.*\)/=\'\1\'/" < "$uevent")" + while read line; do + export -n "$line" + done < "$uevent" if [ $BOOTDEV_MAJOR = $MAJOR -a $(($BOOTDEV_MINOR + $offset)) = $MINOR -a -b "/dev/$DEVNAME" ]; then export "$var=$DEVNAME" return 0 |