Unverified Commit 482f5962 authored by Ansgar's avatar Ansgar

at: only retain variables whose name consists of alphanumerics and underscores

Since a recent security update[1] bash might export variables named
BASH_FUNC_*() to the environment which the serialization code in at
cannot handle properly.

  [1] <https://www.debian.org/security/2014/dsa-3035>
parent 8e03ec55
......@@ -390,6 +390,22 @@ writefile(time_t runtimer, char queue)
int export = 1;
char *eqp;
/* Only accept alphanumerics and underscore in variable names.
* Also require the name to not start with a digit.
* Some shells don't like other variable names.
*/
{
char *p = *atenv;
if (isdigit(*p))
export = 0;
for (; *p != '=' && *p != '\0'; ++p) {
if (!isalnum(*p) && *p != '_') {
export = 0;
break;
}
}
}
eqp = strchr(*atenv, '=');
if (ap == NULL)
eqp = *atenv;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment