From: Dan Fandrich <dan@coneharvesters.com>
Date: Fri, 27 Jun 2025 18:07:10 +0000 (-0700)
Subject: firefox-db2pem: avoid use of eval in script
X-Git-Tag: curl-8_15_0~134
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0b98f596c888584be5ce655c5ee39fe65e2c41e5;p=thirdparty%2Fcurl.git

firefox-db2pem: avoid use of eval in script

This could potentially be exploited by manipulating nicknames in the
cert DB.

Reported-by: behindtheblackwall on hackerone
Closes #17766
---

diff --git a/scripts/firefox-db2pem.sh b/scripts/firefox-db2pem.sh
index 57252b4057..2a4b9ceace 100755
--- a/scripts/firefox-db2pem.sh
+++ b/scripts/firefox-db2pem.sh
@@ -57,5 +57,5 @@ sed -e 's/ *[CcGTPpu]*,[CcGTPpu]*,[CcGTPpu]* *$//' -e 's/\(.*\)/"\1"/' | \
 sort | \
 while read -r nickname; \
  do echo "$nickname" | sed -e "s/Builtin Object Token://g"; \
-eval certutil -d "$db" -L -n "$nickname" -a ; \
+ echo "$nickname" | xargs -I{} certutil -d "$db" -L -a -n {} ; \
 done >> "$out"