[sr-dev] git:4.0: exec: safety check against bash vulnerability CVE-2014-6271

[Daniel-Constantin Mierla]

Module: sip-router
Branch: 4.0
Commit: e97250982c3d9fdc1d7dcba59f7bc0a9256264b9
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=e97250982c3d9fdc1d7dcba59f7bc0a9256264b9

Author: Seudin Kasumovic <seudin.kasumovic at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date:   Thu Sep 25 16:56:28 2014 +0200

exec: safety check against bash vulnerability CVE-2014-6271

(cherry picked from commit d5d57c0df931c9d60432def919c837cc76e4ce42)
(cherry picked from commit aebd010ee1ebff8a70877164fb7b508c1ca5503d)

---

 modules/exec/exec_hf.c |   18 ++++++++++++++----
 1 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/modules/exec/exec_hf.c b/modules/exec/exec_hf.c
index 37eaf27..1338cbc 100644
--- a/modules/exec/exec_hf.c
+++ b/modules/exec/exec_hf.c
@@ -256,12 +256,22 @@ static int print_hf_var(struct hf_wrapper *w, int offset)
 	memcpy(envvar, w->prefix, w->prefix_len); c=envvar+w->prefix_len;
 	memcpy(c, hname, hlen ); c+=hlen;
 	*c=EV_ASSIGN;c++;
-	memcpy(c, w->u.hf->body.s+offset, w->u.hf->body.len );
-	c+=w->u.hf->body.len;
+	if (!strncmp(w->u.hf->body.s,"() {",MIN(w->u.hf->body.len,4))) {
+		memcpy(c, w->u.hf->body.s+offset+2, w->u.hf->body.len-2 );
+		c+=(w->u.hf->body.len-2);
+	} else {
+		memcpy(c, w->u.hf->body.s+offset, w->u.hf->body.len );
+		c+=w->u.hf->body.len;
+	}
 	for (wi=w->next_same; wi; wi=wi->next_same) {
 		*c=HF_SEPARATOR;c++;
-		memcpy(c, wi->u.hf->body.s+offset, wi->u.hf->body.len );
-		c+=wi->u.hf->body.len;
+		if (!strncmp(w->u.hf->body.s,"() {",MIN(w->u.hf->body.len,4))) {
+			memcpy(c, w->u.hf->body.s+offset+2, w->u.hf->body.len-2 );
+			c+=(w->u.hf->body.len-2);
+		} else {
+			memcpy(c, w->u.hf->body.s+offset, w->u.hf->body.len );
+			c+=w->u.hf->body.len;
+		}
 	}
 	*c=0; /* zero termination */
 	LM_DBG("%s\n", envvar );