summaryrefslogtreecommitdiff
path: root/sbin
diff options
context:
space:
mode:
authorKenneth R Westerback <krw@cvs.openbsd.org>2004-05-07 23:05:20 +0000
committerKenneth R Westerback <krw@cvs.openbsd.org>2004-05-07 23:05:20 +0000
commit149078bd741eeb4346d44fa0246fe9f3da5827e4 (patch)
treeb321c4baf13fab1ec1b6b9ef97c8a037916ad223 /sbin
parent68bb922084e7746f03fcce9c9f213a0c2a0bcd0e (diff)
Error out on attempts to inject command or variable substitution
into dhclient-script environment variables. Inspiration from todd@. ok henning@ deraadt@.
Diffstat (limited to 'sbin')
-rw-r--r--sbin/dhclient/dhclient.c11
1 files changed, 10 insertions, 1 deletions
diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c
index a4d7d040bb0..808602cbaa8 100644
--- a/sbin/dhclient/dhclient.c
+++ b/sbin/dhclient/dhclient.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dhclient.c,v 1.49 2004/05/06 22:29:15 deraadt Exp $ */
+/* $OpenBSD: dhclient.c,v 1.50 2004/05/07 23:05:19 krw Exp $ */
/*
* Copyright 2004 Henning Brauer <henning@openbsd.org>
@@ -2021,6 +2021,15 @@ script_set_env(struct client_state *client, const char *prefix,
if (client->scriptEnv[i] == NULL)
error("script_set_env: no memory for variable assignment");
+ /* No `` or $() command substitution allowed in environment values! */
+ for (i=0; i < strlen(value); i++)
+ switch (value[i]) {
+ case '`':
+ case '$':
+ error("illegal character (%c) in value '%s'", value[i],
+ value);
+ /* not reached */
+ }
snprintf(client->scriptEnv[i], strlen(prefix) + strlen(name) +
1 + strlen(value) + 1, "%s%s=%s", prefix, name, value);
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-01 07:06:03 +0000