From 02220ca51a25913a5b81885066ac4ff2ca2490c5 Mon Sep 17 00:00:00 2001 From: William Cohen <wcohen@redhat.com> Date: Tue, 10 May 2011 14:38:26 -0400 Subject: [PATCH 3/4] Avoid blindly source $SETUP_FILE with '.' If there could be arbitrary commands in the $SETUP_FILE, the '.' command would blindly execute them. This change limits do_load_setup to only assigning values to variables. --- utils/opcontrol | 17 +++++++++++++---- 1 files changed, 13 insertions(+), 4 deletions(-) --- a/utils/opcontrol +++ b/utils/opcontrol @@ -434,9 +434,19 @@ { if test -f "$SETUP_FILE"; then # load the actual information from file - # FIXME this is insecure, arbitrary commands could be added to - # $SETUP_FILE and be executed as root - . $SETUP_FILE + while IFS== read -r arg val; do + clean_arg="`echo "${arg}" | tr -cd '[:alnum:]_'`" + clean_val="`echo "${val}" | tr -cd '[:alnum:]_:/.-'`" + if [ "x$arg" != "x$clean_arg" ]; then + echo "Invalid variable \"$arg\" in $SETUP_FILE." + exit 1 + fi + if [ "x$val" != "x$clean_val" ]; then + echo "Invalid value \"$val\" in $SETUP_FILE." + exit 1 + fi + eval "${clean_arg}=${clean_val}" + done < $SETUP_FILE fi } @@ -739,7 +749,6 @@ --save) error_if_empty $arg $val - error_if_not_basename $arg $val DUMP=yes SAVE_SESSION=yes SAVE_NAME=$val