git:4.0: exec: safety check against bash vulnerability CVE-2014-6271 - sr-dev

25 Sep 2014

Module: sip-router
Branch: 4.0
Commit: e97250982c3d9fdc1d7dcba59f7bc0a9256264b9
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=e9725098...
Author: Seudin Kasumovic seudin.kasumovic@gmail.com
Committer: Daniel-Constantin Mierla miconda@gmail.com
Date:   Thu Sep 25 16:56:28 2014 +0200
exec: safety check against bash vulnerability CVE-2014-6271
(cherry picked from commit d5d57c0df931c9d60432def919c837cc76e4ce42)
(cherry picked from commit aebd010ee1ebff8a70877164fb7b508c1ca5503d)
---
modules/exec/exec_hf.c |   18 ++++++++++++++----
 1 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/modules/exec/exec_hf.c b/modules/exec/exec_hf.c
index 37eaf27..1338cbc 100644
--- a/modules/exec/exec_hf.c
+++ b/modules/exec/exec_hf.c
@@ -256,12 +256,22 @@ static int print_hf_var(struct hf_wrapper *w, int offset)
    memcpy(envvar, w->prefix, w->prefix_len); c=envvar+w->prefix_len;
    memcpy(c, hname, hlen ); c+=hlen;
    *c=EV_ASSIGN;c++;
-	memcpy(c, w->u.hf->body.s+offset, w->u.hf->body.len );
-	c+=w->u.hf->body.len;
+	if (!strncmp(w->u.hf->body.s,"() {",MIN(w->u.hf->body.len,4))) {
+		memcpy(c, w->u.hf->body.s+offset+2, w->u.hf->body.len-2 );
+		c+=(w->u.hf->body.len-2);
+	} else {
+		memcpy(c, w->u.hf->body.s+offset, w->u.hf->body.len );
+		c+=w->u.hf->body.len;
+	}
    for (wi=w->next_same; wi; wi=wi->next_same) {
    	*c=HF_SEPARATOR;c++;
-		memcpy(c, wi->u.hf->body.s+offset, wi->u.hf->body.len );
-		c+=wi->u.hf->body.len;
+		if (!strncmp(w->u.hf->body.s,"() {",MIN(w->u.hf->body.len,4))) {
+			memcpy(c, w->u.hf->body.s+offset+2, w->u.hf->body.len-2 );
+			c+=(w->u.hf->body.len-2);
+		} else {
+			memcpy(c, w->u.hf->body.s+offset, w->u.hf->body.len );
+			c+=w->u.hf->body.len;
+		}
    }
    *c=0; /* zero termination */
    LM_DBG("%s\n", envvar );

    