[PATCH] var.c: check for valid variable name before printing in "export -p"

[harald@xxxxxxxxxx]

From: Harald Hoyer <harald@xxxxxxxxxx>

"export -p" prints all environment variables, without checking if the
environment variable is a valid dash variable name.

IMHO, the only valid usecase for "export -p" is to eval the output.

$ eval $(export -p); echo OK
OK

Without this patch the following test does error out with:

test.py:
import os
os.environ["test-test"]="test"
os.environ["test_test"]="test"
os.execv("./dash", [ './dash', '-c', 'eval $(export -p); echo OK' ])

$ python test.py
./dash: 1: export: test-test: bad variable name

Of course the results can be more evil, if the environment variable
name is crafted, that it injects valid shell code.
---
 src/var.c |    9 ++++++---
 1 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/var.c b/src/var.c
index 027beff..06771d3 100644
--- a/src/var.c
+++ b/src/var.c
@@ -409,12 +409,15 @@ showvars(const char *prefix, int on, int off)
 	for (; ep < epend; ep++) {
 		const char *p;
 		const char *q;
-
+		const char *r;
+		r = endofname(*ep);
 		p = strchrnul(*ep, '=');
 		q = nullstr;
-		if (*p)
+		if (*p) {
+			if (p != r)
+				continue;
 			q = single_quote(++p);
-
+		}
 		out1fmt("%s%s%.*s%s\n", prefix, sep, (int)(p - *ep), *ep, q);
 	}
 
-- 
1.7.9

--
To unsubscribe from this list: send the line "unsubscribe dash" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html