]>
Commit | Line | Data |
---|---|---|
8868edaf CR |
1 | # This program is free software: you can redistribute it and/or modify |
2 | # it under the terms of the GNU General Public License as published by | |
3 | # the Free Software Foundation, either version 3 of the License, or | |
4 | # (at your option) any later version. | |
5 | # | |
6 | # This program is distributed in the hope that it will be useful, | |
7 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
8 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
9 | # GNU General Public License for more details. | |
10 | # | |
11 | # You should have received a copy of the GNU General Public License | |
12 | # along with this program. If not, see <http://www.gnu.org/licenses/>. | |
13 | # | |
a0c0a00f CR |
14 | # normal operation |
15 | foo() | |
16 | { | |
17 | echo exportfunc ok 1 | |
18 | } | |
19 | export -f foo | |
20 | ${THIS_SH} -c foo | |
21 | unset -f foo | |
22 | foo-a () | |
23 | { | |
24 | echo exportfunc ok 2 | |
25 | } | |
26 | export -f foo-a | |
27 | ${THIS_SH} -c 'foo-a' | |
28 | ||
29 | # CVE-2014-6271 | |
30 | ||
31 | env -i BASH_FUNC_foo%%='() { echo cve6271 ok; } ; echo BAD' ${THIS_SH} -c foo 2>/dev/null | |
32 | ||
33 | # CVE-2014-7169 | |
34 | ||
35 | rm -f cve7169-bad | |
36 | env -i BASH_FUNC_X%%='() { (a)=>\' ${THIS_SH} -c cve7169-bad 2>/dev/null | |
37 | : < cve7169-bad | |
38 | rm -f cve7169-bad | |
39 | ||
40 | echo cve7169-bad2 > $TMPDIR/bar | |
41 | rm -f cve7169-bad2 | |
42 | eval 'X() { (a)>\' ; . ./bar 2>/dev/null | |
43 | : < cve7169-bad2 | |
44 | rm -f cve7169-bad2 $TMPDIR/bar | |
45 | ||
46 | # CVE-2014-7186 | |
47 | ${THIS_SH} ./exportfunc1.sub | |
48 | ||
49 | # CVE-2014-7187 | |
50 | ${THIS_SH} ./exportfunc2.sub | |
51 | ||
52 | # CVE-2014-6277 | |
53 | ||
54 | env BASH_FUNC_foo%%="() { 000(){>0;}&000(){ 0;}<<0 0" ${THIS_SH} -c foo 2>/dev/null | |
55 | env BASH_FUNC_foo%%="() { 000(){>0;}&000(){ 0;}<<`perl -e '{print "A"x100000}'` 0" ${THIS_SH} -c foo 2>/dev/null | |
56 | ${THIS_SH} -c "f(){ x(){ _;}; x(){ _;}<<a;}" 2>/dev/null | |
57 | ||
58 | # CVE-2014-6278 | |
59 | ||
60 | env 'BASH_FUNC_FOO%%=() { 0;}>r[0${$(}0 {>"$(id >/dev/tty)"; }' ${THIS_SH} -c : 2>/dev/null | |
61 | ||
62 | rm -f HELLO_WORLD | |
63 | env BASH_FUNC_FOO%%='() { 0;}>r[0${$(}0 {>HELLO_WORLD; }' ${THIS_SH} -c : 2>/dev/null | |
64 | : < HELLO_WORLD | |
65 | ||
66 | env BASH_FUNC_x%%='() { _;}>_[$($())] { echo vuln;}' ${THIS_SH} -c : 2>/dev/null | |
67 | ||
68 | env -i BASH_FUNC_x%%='() { _; } >_[${ $() }] { id; }' ${THIS_SH} -c : 2>/dev/null | |
69 | ||
70 | env BASH_FUNC_x%%=$'() { _;}>_[$($())]\n{ echo vuln;}' ${THIS_SH} -c : 2>/dev/null | |
71 | eval 'x() { _;}>_[$($())] { echo vuln;}' 2>/dev/null | |
72 | ||
73 | eval 'foo() { _; } >_[${ $() }] ;{ echo eval ok; }' | |
74 | ||
75 | # other tests fixed in bash43-030 concerning function name transformation | |
76 | env $'BASH_FUNC_\nfoo%%=() { echo transform-1; }' ${THIS_SH} -c foo 2>/dev/null | |
77 | env $'BASH_FUNC_foo\n%%=() { echo transform-2; }' ${THIS_SH} -c foo 2>/dev/null | |
78 | env $'BASH_FUNC_ foo %%=() { echo transform-3; }' ${THIS_SH} -c foo 2>/dev/null | |
79 | ||
80 | unset -f foo | |
81 | env $'BASH_FUNC_#badname%%'=$'() { :; }\nfoo () { echo transform-4; } ' ${THIS_SH} -c 'foo' 2>/dev/null | |
82 | ||
83 | # tests of exported names | |
84 | ${THIS_SH} ./exportfunc3.sub |