diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2020-02-21 18:21:24 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2020-02-21 18:21:24 +0000 |
| commit | b4c15d0ed3a4e4af97ce282086c015b165f718f3 (patch) | |
| tree | 6e047fe46ab11ad8e1c2d7daeba25ba93ca86537 /bin | |
| parent | 882c2e24a54ceb6b7cf3987bcb8955b8a68eb332 (diff) | |
Enforce that TMOUT is an integer literal to prevent command execution from
the environment at shell initialization time. During startup, ksh calls
'eval typeset -i TMOUT="${TMOUT:-0}"'. which allows command injection via
arithmetic expansion, e.g., by setting TMOUT to 'x[`/bin/echo Hi >&2`]'.
Problem noted by Andras Farkas and tj, inspired by a similar issue in
AT&T's ksh. Tested in snaps for two weeks.
"go for it" deraadt
Diffstat (limited to 'bin')
| -rw-r--r-- | bin/ksh/var.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/bin/ksh/var.c b/bin/ksh/var.c index a4dca7541a5..6cfe75e456c 100644 --- a/bin/ksh/var.c +++ b/bin/ksh/var.c @@ -1,4 +1,4 @@ -/* $OpenBSD: var.c,v 1.70 2018/06/18 21:46:05 millert Exp $ */ +/* $OpenBSD: var.c,v 1.71 2020/02/21 18:21:23 tb Exp $ */ #include <sys/stat.h> #include <sys/time.h> @@ -1052,6 +1052,10 @@ setspec(struct tbl *vp) vp->flag |= SPECIAL; break; case V_TMOUT: + /* Enforce integer to avoid command execution from initcoms[] */ + vp->flag &= ~SPECIAL; + intval(vp); + vp->flag |= SPECIAL; /* at&t ksh seems to do this (only listen if integer) */ if (vp->flag & INTEGER) ksh_tmout = vp->val.i >= 0 ? vp->val.i : 0; |