/* Copyright (C) 1997-2017 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, see <http://www.gnu.org/licenses/>. */ #include <sys/stat.h> #include <sys/types.h> #include <sys/mman.h> #include <fcntl.h> #include <unistd.h> #include <pwd.h> #include <stdio.h> #include <stdint.h> #include <stdlib.h> #include <string.h> #include <wordexp.h> #include <libc-pointer-arith.h> #define IFS " \n\t" extern void *__dso_handle __attribute__ ((__weak__, __visibility__ ("hidden"))); extern int __register_atfork (void (*) (void), void (*) (void), void (*) (void), void *); static int __app_register_atfork (void (*prepare) (void), void (*parent) (void), void (*child) (void)) { return __register_atfork (prepare, parent, child, &__dso_handle == NULL ? NULL : __dso_handle); } /* Number of forks seen. */ static int registered_forks; /* For each fork increment the fork count. */ static void register_fork (void) { registered_forks++; } struct test_case_struct { int retval; const char *env; const char *words; int flags; size_t wordc; const char *wordv[10]; const char *ifs; } test_case[] = { /* Simple word- and field-splitting */ { 0, NULL, "one", 0, 1, { "one", }, IFS }, { 0, NULL, "one two", 0, 2, { "one", "two", }, IFS }, { 0, NULL, "one two three", 0, 3, { "one", "two", "three", }, IFS }, { 0, NULL, " \tfoo\t\tbar ", 0, 2, { "foo", "bar", }, IFS }, { 0, NULL, "red , white blue", 0, 4, { "red", ",", "white", "blue", }, " ," }, { 0, NULL, "one two three", 0, 3, { "one", "two", "three", }, "" }, { 0, NULL, "one \"two three\"", 0, 2, { "one", "two three", }, IFS }, { 0, NULL, "one \"two three\"", 0, 2, { "one", "two three", }, "" }, { 0, "two three", "one \"$var\"", 0, 2, { "one", "two three", }, IFS }, { 0, "two three", "one $var", 0, 3, { "one", "two", "three", }, IFS }, { 0, "two three", "one \"$var\"", 0, 2, { "one", "two three", }, "" }, { 0, "two three", "one $var", 0, 2, { "one", "two three", }, "" }, /* The non-whitespace IFS char at the end delimits the second field * but does NOT start a new field. */ { 0, ":abc:", "$var", 0, 2, { "", "abc", }, ":" }, { 0, NULL, "$(echo :abc:)", 0, 2, { "", "abc", }, ":" }, { 0, NULL, "$(echo :abc:\\ )", 0, 2, { "", "abc", }, ": " }, { 0, NULL, "$(echo :abc\\ )", 0, 2, { "", "abc", }, ": " }, { 0, ":abc:", "$(echo $var)", 0, 2, { "", "abc", }, ":" }, { 0, NULL, ":abc:", 0, 1, { ":abc:", }, ":" }, { 0, NULL, "$(echo :abc:)def", 0, 3, { "", "abc", "def", }, ":" }, { 0, NULL, "$(echo abc:de)f", 0, 2, { "abc", "def", }, ":" }, { 0, NULL, "$(echo abc:de)f:ghi", 0, 2, { "abc", "def:ghi", }, ":" }, { 0, NULL, "abc:d$(echo ef:ghi)", 0, 2, { "abc:def", "ghi", }, ":" }, { 0, "abc:", "$var$(echo def:ghi)", 0, 3, { "abc", "def", "ghi", }, ":" }, { 0, "abc:d", "$var$(echo ef:ghi)", 0, 3, { "abc", "def", "ghi", }, ":" }, { 0, "def:ghi", "$(echo abc:)$var", 0, 3, { "abc", "def", "ghi", }, ":" }, { 0, "ef:ghi", "$(echo abc:d)$var", 0, 3, { "abc", "def", "ghi", }, ":" }, /* Simple parameter expansion */ { 0, "foo", "${var}", 0, 1, { "foo", }, IFS }, { 0, "foo", "$var", 0, 1, { "foo", }, IFS }, { 0, "foo", "\\\"$var\\\"", 0, 1, { "\"foo\"", }, IFS }, { 0, "foo", "%$var%", 0, 1, { "%foo%", }, IFS }, { 0, "foo", "-$var-", 0, 1, { "-foo-", }, IFS }, /* Simple quote removal */ { 0, NULL, "\"quoted\"", 0, 1, { "quoted", }, IFS }, { 0, "foo", "\"$var\"\"$var\"", 0, 1, { "foofoo", }, IFS }, { 0, NULL, "'singly-quoted'", 0, 1, { "singly-quoted", }, IFS }, { 0, NULL, "contin\\\nuation", 0, 1, { "continuation", }, IFS }, { 0, NULL, "explicit ''", 0, 2, { "explicit", "", }, IFS }, { 0, NULL, "explicit \"\"", 0, 2, { "explicit", "", }, IFS }, { 0, NULL, "explicit ``", 0, 1, { "explicit", }, IFS }, /* Simple command substitution */ { 0, NULL, "$(echo hello)", 0, 1, { "hello", }, IFS }, { 0, NULL, "$( (echo hello) )", 0, 1, { "hello", }, IFS }, { 0, NULL, "$((echo hello);(echo there))", 0, 2, { "hello", "there", }, IFS }, { 0, NULL, "`echo one two`", 0, 2, { "one", "two", }, IFS }, { 0, NULL, "$(echo ')')", 0, 1, { ")" }, IFS }, { 0, NULL, "$(echo hello; echo)", 0, 1, { "hello", }, IFS }, { 0, NULL, "a$(echo b)c", 0, 1, { "abc", }, IFS }, /* Simple arithmetic expansion */ { 0, NULL, "$((1 + 1))", 0, 1, { "2", }, IFS }, { 0, NULL, "$((2-3))", 0, 1, { "-1", }, IFS }, { 0, NULL, "$((-1))", 0, 1, { "-1", }, IFS }, { 0, NULL, "$[50+20]", 0, 1, { "70", }, IFS }, { 0, NULL, "$(((2+3)*(4+5)))", 0, 1, { "45", }, IFS }, { 0, NULL, "$((010))", 0, 1, { "8" }, IFS }, { 0, NULL, "$((0x10))", 0, 1, { "16" }, IFS }, { 0, NULL, "$((010+0x10))", 0, 1, { "24" }, IFS }, { 0, NULL, "$((-010+0x10))", 0, 1, { "8" }, IFS }, { 0, NULL, "$((-0x10+010))", 0, 1, { "-8" }, IFS }, /* Advanced parameter expansion */ { 0, NULL, "${var:-bar}", 0, 1, { "bar", }, IFS }, { 0, NULL, "${var-bar}", 0, 1, { "bar", }, IFS }, { 0, "", "${var:-bar}", 0, 1, { "bar", }, IFS }, { 0, "foo", "${var:-bar}", 0, 1, { "foo", }, IFS }, { 0, "", "${var-bar}", 0, 0, { NULL, }, IFS }, { 0, NULL, "${var:=bar}", 0, 1, { "bar", }, IFS }, { 0, NULL, "${var=bar}", 0, 1, { "bar", }, IFS }, { 0, "", "${var:=bar}", 0, 1, { "bar", }, IFS }, { 0, "foo", "${var:=bar}", 0, 1, { "foo", }, IFS }, { 0, "", "${var=bar}", 0, 0, { NULL, }, IFS }, { 0, "foo", "${var:?bar}", 0, 1, { "foo", }, IFS }, { 0, NULL, "${var:+bar}", 0, 0, { NULL, }, IFS }, { 0, NULL, "${var+bar}", 0, 0, { NULL, }, IFS }, { 0, "", "${var:+bar}", 0, 0, { NULL, }, IFS }, { 0, "foo", "${var:+bar}", 0, 1, { "bar", }, IFS }, { 0, "", "${var+bar}", 0, 1, { "bar", }, IFS }, { 0, "12345", "${#var}", 0, 1, { "5", }, IFS }, { 0, NULL, "${var:-'}'}", 0, 1, { "}", }, IFS }, { 0, NULL, "${var-}", 0, 0, { NULL }, IFS }, { 0, "pizza", "${var#${var}}", 0, 0, { NULL }, IFS }, { 0, "pepperoni", "${var%$(echo oni)}", 0, 1, { "pepper" }, IFS }, { 0, "6pack", "${var#$((6))}", 0, 1, { "pack" }, IFS }, { 0, "b*witched", "${var##b*}", 0, 0, { NULL }, IFS }, { 0, "b*witched", "${var##\"b*\"}", 0, 1, { "witched" }, IFS }, { 0, "banana", "${var%na*}", 0, 1, { "bana", }, IFS }, { 0, "banana", "${var%%na*}", 0, 1, { "ba", }, IFS }, { 0, "borabora-island", "${var#*bora}", 0, 1, { "bora-island", }, IFS }, { 0, "borabora-island", "${var##*bora}", 0, 1, { "-island", }, IFS }, { 0, "coconut", "${var##\\*co}", 0, 1, { "coconut", }, IFS }, { 0, "100%", "${var%0%}", 0, 1, { "10" }, IFS }, /* Pathname expansion */ { 0, NULL, "???", 0, 2, { "one", "two", }, IFS }, { 0, NULL, "[ot]??", 0, 2, { "one", "two", }, IFS }, { 0, NULL, "t*", 0, 2, { "three", "two", }, IFS }, { 0, NULL, "\"t\"*", 0, 2, { "three", "two", }, IFS }, /* Nested constructs */ { 0, "one two", "$var", 0, 2, { "one", "two", }, IFS }, { 0, "one two three", "$var", 0, 3, { "one", "two", "three", }, IFS }, { 0, " \tfoo\t\tbar ", "$var", 0, 2, { "foo", "bar", }, IFS }, { 0, " red , white blue", "$var", 0, 3, { "red", "white", "blue", }, ", \n\t" }, { 0, " red , white blue", "\"$var\"", 0, 1, { " red , white blue", }, ", \n\t" }, { 0, NULL, "\"$(echo hello there)\"", 0, 1, { "hello there", }, IFS }, { 0, NULL, "\"$(echo \"hello there\")\"", 0, 1, { "hello there", }, IFS }, { 0, NULL, "${var=one two} \"$var\"", 0, 3, { "one", "two", "one two", }, IFS }, { 0, "1", "$(( $(echo 3)+$var ))", 0, 1, { "4", }, IFS }, { 0, NULL, "\"$(echo \"*\")\"", 0, 1, { "*", }, IFS }, { 0, NULL, "\"a\n\n$(echo)b\"", 0, 1, { "a\n\nb", }, IFS }, { 0, "foo", "*$var*", 0, 1, { "*foo*", }, IFS }, { 0, "o thr", "*$var*", 0, 2, { "two", "three" }, IFS }, /* Different IFS values */ { 0, "a b\tc\nd ", "$var", 0, 4, { "a", "b", "c", "d" }, NULL /* unset */ }, { 0, "a b\tc d ", "$var", 0, 1, { "a b\tc d " }, "" /* `null' */ }, { 0, "a,b c\n, d", "$var", 0, 3, { "a", "b c", " d" }, "\t\n," }, /* Other things that should succeed */ { 0, NULL, "\\*\"|&;<>\"\\(\\)\\{\\}", 0, 1, { "*|&;<>(){}", }, IFS }, { 0, "???", "$var", 0, 1, { "???", }, IFS }, { 0, NULL, "$var", 0, 0, { NULL, }, IFS }, { 0, NULL, "\"\\n\"", 0, 1, { "\\n", }, IFS }, { 0, NULL, "", 0, 0, { NULL, }, IFS }, /* Flags not already covered (testit() has special handling for these) */ { 0, NULL, "one two", WRDE_DOOFFS, 2, { "one", "two", }, IFS }, { 0, NULL, "appended", WRDE_APPEND, 3, { "pre1", "pre2", "appended", }, IFS }, { 0, NULL, "appended", WRDE_DOOFFS|WRDE_APPEND, 3, { "pre1", "pre2", "appended", }, IFS }, /* Things that should fail */ { WRDE_BADCHAR, NULL, "new\nline", 0, 0, { NULL, }, "" /* \n not IFS */ }, { WRDE_BADCHAR, NULL, "pipe|symbol", 0, 0, { NULL, }, IFS }, { WRDE_BADCHAR, NULL, "&ersand", 0, 0, { NULL, }, IFS }, { WRDE_BADCHAR, NULL, "semi;colon", 0, 0, { NULL, }, IFS }, { WRDE_BADCHAR, NULL, "<greater", 0, 0, { NULL, }, IFS }, { WRDE_BADCHAR, NULL, "less>", 0, 0, { NULL, }, IFS }, { WRDE_BADCHAR, NULL, "(open-paren", 0, 0, { NULL, }, IFS }, { WRDE_BADCHAR, NULL, "close-paren)", 0, 0, { NULL, }, IFS }, { WRDE_BADCHAR, NULL, "{open-brace", 0, 0, { NULL, }, IFS }, { WRDE_BADCHAR, NULL, "close-brace}", 0, 0, { NULL, }, IFS }, { WRDE_CMDSUB, NULL, "$(ls)", WRDE_NOCMD, 0, { NULL, }, IFS }, { WRDE_BADVAL, NULL, "$var", WRDE_UNDEF, 0, { NULL, }, IFS }, { WRDE_BADVAL, NULL, "$9", WRDE_UNDEF, 0, { NULL, }, IFS }, { WRDE_SYNTAX, NULL, "$[50+20))", 0, 0, { NULL, }, IFS }, { WRDE_SYNTAX, NULL, "${%%noparam}", 0, 0, { NULL, }, IFS }, { WRDE_SYNTAX, NULL, "${missing-brace", 0, 0, { NULL, }, IFS }, { WRDE_SYNTAX, NULL, "$(for i in)", 0, 0, { NULL, }, IFS }, { WRDE_SYNTAX, NULL, "$((2+))", 0, 0, { NULL, }, IFS }, { WRDE_SYNTAX, NULL, "`", 0, 0, { NULL, }, IFS }, { WRDE_SYNTAX, NULL, "$((010+4+))", 0, 0, { NULL }, IFS }, /* Test for CVE-2014-7817. We test 3 combinations of command substitution inside an arithmetic expression to make sure that no commands are executed and error is returned. */ { WRDE_CMDSUB, NULL, "$((`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS }, { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS }, { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS }, { WRDE_SYNTAX, NULL, "`\\", 0, 0, { NULL, }, IFS }, /* BZ 18042 */ { WRDE_SYNTAX, NULL, "${", 0, 0, { NULL, }, IFS }, /* BZ 18043 */ { WRDE_SYNTAX, NULL, "L${a:", 0, 0, { NULL, }, IFS }, /* BZ 18043#c4 */ { WRDE_SYNTAX, NULL, "$[1/0]", WRDE_NOCMD, 0, {NULL, }, IFS }, /* BZ 18100 */ { -1, NULL, NULL, 0, 0, { NULL, }, IFS }, }; static int testit (struct test_case_struct *tc); static int tests; static void command_line_test (const char *words) { wordexp_t we; int i; int retval = wordexp (words, &we, 0); printf ("wordexp returned %d\n", retval); for (i = 0; i < we.we_wordc; i++) printf ("we_wordv[%d] = \"%s\"\n", i, we.we_wordv[i]); } int main (int argc, char *argv[]) { const char *globfile[] = { "one", "two", "three", NULL }; char tmpdir[32]; struct passwd *pw; const char *cwd; int test; int fail = 0; int i; struct test_case_struct ts; if (argc > 1) { command_line_test (argv[1]); return 0; } cwd = getcwd (NULL, 0); /* Set up arena for pathname expansion */ tmpnam (tmpdir); if (mkdir (tmpdir, S_IRWXU) || chdir (tmpdir)) return -1; else { int fd; for (i = 0; globfile[i]; ++i) if ((fd = creat (globfile[i], S_IRUSR | S_IWUSR)) == -1 || close (fd)) return -1; } /* If we are not allowed to do command substitution, we install fork handlers to verify that no forks happened. No forks should happen at all if command substitution is disabled. */ if (__app_register_atfork (register_fork, NULL, NULL) != 0) { printf ("Failed to register fork handler.\n"); return -1; } for (test = 0; test_case[test].retval != -1; test++) if (testit (&test_case[test])) ++fail; /* Tilde-expansion tests. */ pw = getpwnam ("root"); if (pw != NULL) { ts.retval = 0; ts.env = NULL; ts.words = "~root "; ts.flags = 0; ts.wordc = 1; ts.wordv[0] = pw->pw_dir; ts.ifs = IFS; if (testit (&ts)) ++fail; ts.retval = 0; ts.env = pw->pw_dir; ts.words = "${var#~root}x"; ts.flags = 0; ts.wordc = 1; ts.wordv[0] = "x"; ts.ifs = IFS; if (testit (&ts)) ++fail; } /* "~" expands to value of $HOME when HOME is set */ setenv ("HOME", "/dummy/home", 1); ts.retval = 0; ts.env = NULL; ts.words = "~ ~/foo"; ts.flags = 0; ts.wordc = 2; ts.wordv[0] = "/dummy/home"; ts.wordv[1] = "/dummy/home/foo"; ts.ifs = IFS; if (testit (&ts)) ++fail; /* "~" expands to home dir from passwd file if HOME is not set */ pw = getpwuid (getuid ()); if (pw != NULL) { unsetenv ("HOME"); ts.retval = 0; ts.env = NULL; ts.words = "~"; ts.flags = 0; ts.wordc = 1; ts.wordv[0] = pw->pw_dir; ts.ifs = IFS; if (testit (&ts)) ++fail; } /* Integer overflow in division. */ { static const char *const numbers[] = { "0", "1", "65536", "2147483648", "4294967296" "9223372036854775808", "18446744073709551616", "170141183460469231731687303715884105728", "340282366920938463463374607431768211456", NULL }; for (const char *const *num = numbers; *num; ++num) { wordexp_t p; char pattern[256]; snprintf (pattern, sizeof (pattern), "$[(-%s)/(-1)]", *num); int ret = wordexp (pattern, &p, WRDE_NOCMD); if (ret == 0) { if (p.we_wordc != 1 || strcmp (p.we_wordv[0], *num) != 0) { printf ("Integer overflow for \"%s\" failed", pattern); ++fail; } wordfree (&p); } else if (ret != WRDE_SYNTAX) { printf ("Integer overflow for \"%s\" failed with %d", pattern, ret); ++fail; } } } puts ("tests completed, now cleaning up"); /* Clean up */ for (i = 0; globfile[i]; ++i) remove (globfile[i]); if (cwd == NULL) cwd = ".."; chdir (cwd); rmdir (tmpdir); printf ("tests failed: %d\n", fail); return fail != 0; } static const char * at_page_end (const char *words) { const int pagesize = getpagesize (); char *start = mmap (0, 2 * pagesize, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); if (start == MAP_FAILED) return start; if (mprotect (start + pagesize, pagesize, PROT_NONE)) { munmap (start, 2 * pagesize); return MAP_FAILED; } /* Includes terminating NUL. */ const size_t words_size = strlen (words) + 1; char *words_start = start + pagesize - words_size; memcpy (words_start, words, words_size); return words_start; } static int testit (struct test_case_struct *tc) { int retval; wordexp_t we, sav_we; char *dummy; int bzzzt = 0; int start_offs = 0; int i; if (tc->env) setenv ("var", tc->env, 1); else unsetenv ("var"); if (tc->ifs) setenv ("IFS", tc->ifs, 1); else unsetenv ("IFS"); sav_we.we_wordc = 99; sav_we.we_wordv = &dummy; sav_we.we_offs = 3; we = sav_we; printf ("Test %d (%s): ", ++tests, tc->words); fflush (NULL); const char *words = at_page_end (tc->words); if (tc->flags & WRDE_NOCMD) registered_forks = 0; if (tc->flags & WRDE_APPEND) { /* initial wordexp() call, to be appended to */ if (wordexp ("pre1 pre2", &we, tc->flags & ~WRDE_APPEND) != 0) { printf ("FAILED setup\n"); return 1; } } retval = wordexp (words, &we, tc->flags); if ((tc->flags & WRDE_NOCMD) && (registered_forks > 0)) { printf ("FAILED fork called for WRDE_NOCMD\n"); return 1; } if (tc->flags & WRDE_DOOFFS) start_offs = sav_we.we_offs; if (retval != tc->retval || (retval == 0 && we.we_wordc != tc->wordc)) bzzzt = 1; else if (retval == 0) { for (i = 0; i < start_offs; ++i) if (we.we_wordv[i] != NULL) { bzzzt = 1; break; } for (i = 0; i < we.we_wordc; ++i) if (we.we_wordv[i+start_offs] == NULL || strcmp (tc->wordv[i], we.we_wordv[i+start_offs]) != 0) { bzzzt = 1; break; } } if (bzzzt) { printf ("FAILED\n"); printf ("Test words: <%s>, need retval %d, wordc %Zd\n", tc->words, tc->retval, tc->wordc); if (start_offs != 0) printf ("(preceded by %d NULLs)\n", start_offs); printf ("Got retval %d, wordc %Zd: ", retval, we.we_wordc); if (retval == 0 || retval == WRDE_NOSPACE) { for (i = 0; i < we.we_wordc + start_offs; ++i) if (we.we_wordv[i] == NULL) printf ("NULL "); else printf ("<%s> ", we.we_wordv[i]); } printf ("\n"); } else if (retval != 0 && retval != WRDE_NOSPACE && (we.we_wordc != sav_we.we_wordc || we.we_wordv != sav_we.we_wordv || we.we_offs != sav_we.we_offs)) { bzzzt = 1; printf ("FAILED to restore wordexp_t members\n"); } else printf ("OK\n"); if (retval == 0 || retval == WRDE_NOSPACE) wordfree (&we); const int page_size = getpagesize (); char *start = (char *) PTR_ALIGN_DOWN (words, page_size); if (munmap (start, 2 * page_size) != 0) return 1; fflush (NULL); return bzzzt; }