Roxen.git/ server/ etc/ modules/ Roxen.pmod

2014-09-25

2014-09-25 13:35:43 by Henrik Grubbström (Grubba) <grubba@grubba.org>

• 9e38c71629ea98493674078cd8551e9da40e3df3 (24 lines) (+23/-1) ^{[ Show | Annotate ]}
  Branch: 9e38c71629ea98493674078cd8551e9da40e3df3

Scripting: Protect more places against Shellshock.

Roxen.build_roxen_env_vars() and Roxen.build_env_vars() now
attempt to protect against Shellshock.

1:   // This is a roxen pike module. Copyright © 1999 - 2004, Roxen IS.   // - // $Id: Roxen.pmod,v 1.193 2005/02/25 15:51:16 grubba Exp $ + // $Id$      #include <roxen.h>   #include <config.h>
1101:    new["SERVER_PORT"] = id->my_fd?    ((id->my_fd->query_address(1)||"foo unknown")/" ")[1]: "Internal";    +  // Protect against execution of arbitrary code in broken bash. +  foreach(new; string e; string v) { +  if (has_prefix(v, "() {")) { +  report_warning("ENV: Function definition in environment variable:\n" +  "ENV: %O=%O\n", +  e, v); +  new[e] = " " + v; +  } +  } +     return new;   }   
1193:    else    new["SUPPORTS"] = tmp;    } +  +  // Protect against execution of arbitrary code in broken bash. +  foreach(new; string e; string v) { +  if (has_prefix(v, "() {")) { +  report_warning("ENV: Function definition in environment variable:\n" +  "ENV: %O=%O\n", +  e, v); +  new[e] = " " + v; +  } +  } +     return new;   }