[at/f20] filter environment variables not acceptable in bash input (#1147043)

Thu Oct 2 12:13:35 UTC 2014

commit e82170c1a80c1318900eefa622a4568c2446bf5b
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date:   Thu Oct 2 14:03:40 2014 +0200

    filter environment variables not acceptable in bash input (#1147043)

 at-3.1.10-filter-environment.patch |   26 ++++++++++++++++++++++++++
 at.spec                            |    7 ++++++-
 2 files changed, 32 insertions(+), 1 deletions(-)
---

diff --git a/at-3.1.10-filter-environment.patch b/at-3.1.10-filter-environment.patch
new file mode 100644
index 0000000..55fc669
--- /dev/null
+++ b/at-3.1.10-filter-environment.patch
@@ -0,0 +1,26 @@
+diff -up at-3.1.10/at.c.filter-environment at-3.1.10/at.c
+--- at-3.1.10/at.c.filter-environment	2014-10-02 10:21:01.684890331 +0200
++++ at-3.1.10/at.c	2014-10-02 10:21:40.678770635 +0200
+@@ -388,6 +388,22 @@ writefile(time_t runtimer, char queue)
+ 	int export = 1;
+ 	char *eqp;
+ 
++        /* Only accept alphanumerics and underscore in variable names.
++         * Also require the name to not start with a digit.
++         * Some shells don't like other variable names.
++         */
++        {
++            char *p = *atenv;
++            if (isdigit(*p))
++                export = 0;
++            for (; *p != '=' && *p != '\0'; ++p) {
++                if (!isalnum(*p) && *p != '_') {
++                    export = 0;
++                    break;
++                }
++            }
++        }
++
+ 	eqp = strchr(*atenv, '=');
+ 	if (ap == NULL)
+ 	    eqp = *atenv;
diff --git a/at.spec b/at.spec
index 329976b..6dab4d9 100644
--- a/at.spec
+++ b/at.spec
@@ -3,7 +3,7 @@
 Summary:	Job spooling tools
 Name:		at
 Version:	3.1.13
-Release:	14%{?dist}
+Release:	15%{?dist}
 # http://packages.debian.org/changelogs/pool/main/a/at/current/copyright
 # + install-sh is MIT license with changes under Public Domain
 License:	GPLv3+ and GPLv2+ and ISC and MIT and Public Domain
@@ -29,6 +29,7 @@ Patch9:         at-3.1.13-mailwithhostname.patch
 Patch10:        at-3.1.13-usePOSIXtimers.patch
 Patch11:        at-3.1.13-help.patch
 Patch12:        at-3.1.14-wrong_format.patch
+Patch13:        at-3.1.10-filter-environment.patch
 
 BuildRequires: fileutils /etc/init.d
 BuildRequires: flex flex-static bison autoconf
@@ -83,6 +84,7 @@ cp %{SOURCE1} .
 %patch10 -p1 -b .posix
 %patch11 -p1 -b .help
 %patch12 -p1 -b .wrong
+%patch13 -p1 -b .filter-environment
 
 %build
 # patch9 touches configure.in
@@ -189,6 +191,9 @@ chown daemon:daemon %{_localstatedir}/spool/at/.SEQ
 %attr(0755,root,root)		%{_initrddir}/atd
 
 %changelog
+* Thu Oct  2 2014 Tomáš Mráz <tmraz at redhat.com> - 3.1.13-15
+- filter environment variables not acceptable in bash input (#1147043)
+
 * Wed Dec  4 2013 Marcela Mašláňová <mmaslano at redhat.com> 3.1.13-14
 - 989201 PAM issue prevents atd sending mail
 - 718422 File a0000f0149b7f3 is in wrong format
