Bug 1148036

Summary: dash exposes invalid names through 'set'
Product: Red Hat Enterprise Linux 6 Reporter: Eric Blake <eblake>
Component: dashAssignee: Petr Šabata <psabata>
Status: CLOSED UPSTREAM QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 6.5CC: dsulliva, eblake, fweimer, jonstanley, jorton, kazen, mhlavink, mhradile, qe-baseos-apps
Target Milestone: rcKeywords: EasyFix, Patch
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1147645
: 1148070 (view as bug list) Environment:
Last Closed: 2015-10-15 16:53:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1147645    
Bug Blocks: 1148070, 1254457    
Attachments:
Description Flags
Backport 46d3c1a6 - Sanitise environment variable names on entry none

Comment 1 Eric Blake 2014-09-30 14:54:31 UTC 
POSIX further requires that 'set' used without parameters shall have the following property:
"The output shall be suitable for reinput to the shell, setting or resetting, as far as possible, the variables that are currently set;"

which means 'eval $(set)' should be safe; but trying to eval "a|b=''" tries to invoke the command named 'a', which is NOT safe.
Comment 3 Eric Blake 2014-09-30 15:23:07 UTC 
Upstream dash.git has this commit which fixes things:
46d3c1a614f11f0d40a7e73376359618ff07abcd

(not in 0.5.7, and there hasn't been another upstream release since then).
Comment 4 Petr Šabata 2014-09-30 15:41:08 UTC 
(In reply to Eric Blake from comment #3)
> Upstream dash.git has this commit which fixes things:
> 46d3c1a614f11f0d40a7e73376359618ff07abcd
> 
> (not in 0.5.7, and there hasn't been another upstream release since then).

Actually 0.5.8 was released four days ago :)
Comment 5 Petr Šabata 2014-09-30 15:51:31 UTC 
Created attachment 942784 [details]
Backport 46d3c1a6 - Sanitise environment variable names on entry