mirror of https://github.com/hak5/openwrt.git
base-files: don't evaluate block-device uevent
Current code and also before commitopenwrt-18.06da52dd0c83
was vulnerable to shell injection using volume lables in the GPT partition table of block devices. Given that partition names can be freely defined in GPT tables we really shouldn't evaluate a string which is potentially crafted with evil intentions. Hence rather use `export -n` to absorb the uevent's variables into the environment. Fixes commitda52dd0c83
(base-files: quote values when evaluating uevent) Signed-off-by: Daniel Golle <daniel@makrotopia.org> [mschiffer@universe-factory.net: suggested export -n usage]
parent
49d3c5f057
commit
267873ac9b
|
@ -101,7 +101,7 @@ get_magic_long() {
|
|||
}
|
||||
|
||||
export_bootdevice() {
|
||||
local cmdline uuid disk uevent
|
||||
local cmdline uuid disk uevent line
|
||||
local MAJOR MINOR DEVNAME DEVTYPE
|
||||
|
||||
if read cmdline < /proc/cmdline; then
|
||||
|
@ -134,7 +134,9 @@ export_bootdevice() {
|
|||
esac
|
||||
|
||||
if [ -e "$uevent" ]; then
|
||||
eval "$(sed "s/=\(.*\)/=\'\1\'/" < "$uevent")"
|
||||
while read line; do
|
||||
export -n "$line"
|
||||
done < "$uevent"
|
||||
export BOOTDEV_MAJOR=$MAJOR
|
||||
export BOOTDEV_MINOR=$MINOR
|
||||
return 0
|
||||
|
@ -146,10 +148,12 @@ export_bootdevice() {
|
|||
|
||||
export_partdevice() {
|
||||
local var="$1" offset="$2"
|
||||
local uevent MAJOR MINOR DEVNAME DEVTYPE
|
||||
local uevent line MAJOR MINOR DEVNAME DEVTYPE
|
||||
|
||||
for uevent in /sys/class/block/*/uevent; do
|
||||
eval "$(sed "s/=\(.*\)/=\'\1\'/" < "$uevent")"
|
||||
while read line; do
|
||||
export -n "$line"
|
||||
done < "$uevent"
|
||||
if [ $BOOTDEV_MAJOR = $MAJOR -a $(($BOOTDEV_MINOR + $offset)) = $MINOR -a -b "/dev/$DEVNAME" ]; then
|
||||
export "$var=$DEVNAME"
|
||||
return 0
|
||||
|
|
Loading…
Reference in New Issue