diff options
author | Daniel Golle <daniel@makrotopia.org> | 2018-02-02 01:57:46 +0100 |
---|---|---|
committer | Daniel Golle <daniel@makrotopia.org> | 2018-02-15 14:39:47 +0100 |
commit | f60be720772cac8a13d7759be14814d14698a45f (patch) | |
tree | 7df38010cc9129f3dcf31c855d1f81dacaca075c | |
parent | 623cdc4ffeef8e95ba7ab02288c044b2186d121a (diff) | |
download | upstream-f60be720772cac8a13d7759be14814d14698a45f.tar.gz upstream-f60be720772cac8a13d7759be14814d14698a45f.tar.bz2 upstream-f60be720772cac8a13d7759be14814d14698a45f.zip |
base-files: don't evaluate block-device uevent
Backport commits fixing the detection of GPT partition names during
preinit and sysupgrade, closing a shell-injection vulnerability.
da52dd0c83 ("base-files: quote values when evaluating uevent")
267873ac9b ("base-files: don't evaluate block-device uevent")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
-rw-r--r-- | package/base-files/files/lib/upgrade/common.sh | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/package/base-files/files/lib/upgrade/common.sh b/package/base-files/files/lib/upgrade/common.sh index 3ddd1e7465..8c1b3b180e 100644 --- a/package/base-files/files/lib/upgrade/common.sh +++ b/package/base-files/files/lib/upgrade/common.sh @@ -208,7 +208,7 @@ get_magic_long() { } export_bootdevice() { - local cmdline uuid disk uevent + local cmdline uuid disk uevent line local MAJOR MINOR DEVNAME DEVTYPE if read cmdline < /proc/cmdline; then @@ -241,8 +241,9 @@ export_bootdevice() { esac if [ -e "$uevent" ]; then - . "$uevent" - + while read line; do + export -n "$line" + done < "$uevent" export BOOTDEV_MAJOR=$MAJOR export BOOTDEV_MINOR=$MINOR return 0 @@ -254,10 +255,12 @@ export_bootdevice() { export_partdevice() { local var="$1" offset="$2" - local uevent MAJOR MINOR DEVNAME DEVTYPE + local uevent line MAJOR MINOR DEVNAME DEVTYPE for uevent in /sys/class/block/*/uevent; do - . "$uevent" + while read line; do + export -n "$line" + done < "$uevent" if [ $BOOTDEV_MAJOR = $MAJOR -a $(($BOOTDEV_MINOR + $offset)) = $MINOR -a -b "/dev/$DEVNAME" ]; then export "$var=$DEVNAME" return 0 |