]>
Commit | Line | Data |
---|---|---|
a0c0a00f CR |
1 | # normal operation |
2 | foo() | |
3 | { | |
4 | echo exportfunc ok 1 | |
5 | } | |
6 | export -f foo | |
7 | ${THIS_SH} -c foo | |
8 | unset -f foo | |
9 | foo-a () | |
10 | { | |
11 | echo exportfunc ok 2 | |
12 | } | |
13 | export -f foo-a | |
14 | ${THIS_SH} -c 'foo-a' | |
15 | ||
16 | # CVE-2014-6271 | |
17 | ||
18 | env -i BASH_FUNC_foo%%='() { echo cve6271 ok; } ; echo BAD' ${THIS_SH} -c foo 2>/dev/null | |
19 | ||
20 | # CVE-2014-7169 | |
21 | ||
22 | rm -f cve7169-bad | |
23 | env -i BASH_FUNC_X%%='() { (a)=>\' ${THIS_SH} -c cve7169-bad 2>/dev/null | |
24 | : < cve7169-bad | |
25 | rm -f cve7169-bad | |
26 | ||
27 | echo cve7169-bad2 > $TMPDIR/bar | |
28 | rm -f cve7169-bad2 | |
29 | eval 'X() { (a)>\' ; . ./bar 2>/dev/null | |
30 | : < cve7169-bad2 | |
31 | rm -f cve7169-bad2 $TMPDIR/bar | |
32 | ||
33 | # CVE-2014-7186 | |
34 | ${THIS_SH} ./exportfunc1.sub | |
35 | ||
36 | # CVE-2014-7187 | |
37 | ${THIS_SH} ./exportfunc2.sub | |
38 | ||
39 | # CVE-2014-6277 | |
40 | ||
41 | env BASH_FUNC_foo%%="() { 000(){>0;}&000(){ 0;}<<0 0" ${THIS_SH} -c foo 2>/dev/null | |
42 | env BASH_FUNC_foo%%="() { 000(){>0;}&000(){ 0;}<<`perl -e '{print "A"x100000}'` 0" ${THIS_SH} -c foo 2>/dev/null | |
43 | ${THIS_SH} -c "f(){ x(){ _;}; x(){ _;}<<a;}" 2>/dev/null | |
44 | ||
45 | # CVE-2014-6278 | |
46 | ||
47 | env 'BASH_FUNC_FOO%%=() { 0;}>r[0${$(}0 {>"$(id >/dev/tty)"; }' ${THIS_SH} -c : 2>/dev/null | |
48 | ||
49 | rm -f HELLO_WORLD | |
50 | env BASH_FUNC_FOO%%='() { 0;}>r[0${$(}0 {>HELLO_WORLD; }' ${THIS_SH} -c : 2>/dev/null | |
51 | : < HELLO_WORLD | |
52 | ||
53 | env BASH_FUNC_x%%='() { _;}>_[$($())] { echo vuln;}' ${THIS_SH} -c : 2>/dev/null | |
54 | ||
55 | env -i BASH_FUNC_x%%='() { _; } >_[${ $() }] { id; }' ${THIS_SH} -c : 2>/dev/null | |
56 | ||
57 | env BASH_FUNC_x%%=$'() { _;}>_[$($())]\n{ echo vuln;}' ${THIS_SH} -c : 2>/dev/null | |
58 | eval 'x() { _;}>_[$($())] { echo vuln;}' 2>/dev/null | |
59 | ||
60 | eval 'foo() { _; } >_[${ $() }] ;{ echo eval ok; }' | |
61 | ||
62 | # other tests fixed in bash43-030 concerning function name transformation | |
63 | env $'BASH_FUNC_\nfoo%%=() { echo transform-1; }' ${THIS_SH} -c foo 2>/dev/null | |
64 | env $'BASH_FUNC_foo\n%%=() { echo transform-2; }' ${THIS_SH} -c foo 2>/dev/null | |
65 | env $'BASH_FUNC_ foo %%=() { echo transform-3; }' ${THIS_SH} -c foo 2>/dev/null | |
66 | ||
67 | unset -f foo | |
68 | env $'BASH_FUNC_#badname%%'=$'() { :; }\nfoo () { echo transform-4; } ' ${THIS_SH} -c 'foo' 2>/dev/null | |
69 | ||
70 | # tests of exported names | |
71 | ${THIS_SH} ./exportfunc3.sub |