KumiSystems/openwrtv4
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
openwrtv4/package/base-files/files/lib/upgrade
History
Daniel Golle 267873ac9b
base-files: don't evaluate block-device uevent 
Current code and also before commit da52dd0c83 was vulnerable to shell
injection using volume lables in the GPT partition table of block
devices. Given that partition names can be freely defined in GPT tables
we really shouldn't evaluate a string which is potentially crafted with
evil intentions. Hence rather use `export -n` to absorb the uevent's
variables into the environment.

Fixes commit da52dd0c83 (base-files: quote values when evaluating uevent)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[mschiffer@universe-factory.net: suggested export -n usage]
2018-02-13 00:01:44 +01:00
..
keep.d base-files: add /etc/shadow to list of essential files to keep in sysupgrade (bug 18206) 2014-10-25 17:22:46 +00:00
common.sh base-files: don't evaluate block-device uevent 2018-02-13 00:01:44 +01:00
fwtool.sh base-files: add a hint in sysupgrade that shows what to do when the image metadata check fails 2016-12-04 11:41:49 +01:00
nand.sh procd: nand: remove nand_board_name platform override 2017-12-08 20:57:12 +01:00
stage2 sysupgrade: don't kill our own parent 2017-11-15 21:11:23 +01:00