Fix shell injection vulnerability in patch(1) via ed(1) by
tightening sanity check of the input. [1] While I'm there also replace ed(1) with red(1) because we do not need the unrestricted functionality. [2] Obtained from: Bitrig [1], DragonFly [2] Security: CVE-2015-1418 [1]
This commit is contained in:
parent
8b20bb9f26
commit
90e38dfd93
@ -9,4 +9,4 @@
|
||||
|
||||
#include <paths.h>
|
||||
|
||||
#define _PATH_ED "/bin/ed"
|
||||
#define _PATH_RED "/bin/red"
|
||||
|
@ -1,4 +1,3 @@
|
||||
|
||||
/*-
|
||||
* Copyright 1986, Larry Wall
|
||||
*
|
||||
@ -1410,13 +1409,14 @@ do_ed_script(void)
|
||||
char *t;
|
||||
off_t beginning_of_this_line;
|
||||
FILE *pipefp = NULL;
|
||||
int continuation;
|
||||
|
||||
if (!skip_rest_of_patch) {
|
||||
if (copy_file(filearg[0], TMPOUTNAME) < 0) {
|
||||
unlink(TMPOUTNAME);
|
||||
fatal("can't create temp file %s", TMPOUTNAME);
|
||||
}
|
||||
snprintf(buf, buf_size, "%s%s%s", _PATH_ED,
|
||||
snprintf(buf, buf_size, "%s%s%s", _PATH_RED,
|
||||
verbose ? " " : " -s ", TMPOUTNAME);
|
||||
pipefp = popen(buf, "w");
|
||||
}
|
||||
@ -1434,7 +1434,19 @@ do_ed_script(void)
|
||||
(*t == 'a' || *t == 'c' || *t == 'd' || *t == 'i' || *t == 's')) {
|
||||
if (pipefp != NULL)
|
||||
fputs(buf, pipefp);
|
||||
if (*t != 'd') {
|
||||
if (*t == 's') {
|
||||
for (;;) {
|
||||
continuation = 0;
|
||||
t = strchr(buf, '\0') - 1;
|
||||
while (--t >= buf && *t == '\\')
|
||||
continuation = !continuation;
|
||||
if (!continuation ||
|
||||
pgets(true) == 0)
|
||||
break;
|
||||
if (pipefp != NULL)
|
||||
fputs(buf, pipefp);
|
||||
}
|
||||
} else if (*t != 'd') {
|
||||
while (pgets(true)) {
|
||||
p_input_line++;
|
||||
if (pipefp != NULL)
|
||||
|
Loading…
Reference in New Issue
Block a user