hal/tools hal-system-storage-mount,1.9,1.10

[David Zeuthen]

Update of /cvs/hal/hal/tools
In directory gabe:/tmp/cvs-serv10260/tools

Modified Files:
	hal-system-storage-mount 
Log Message:
2006-01-10  David Zeuthen  <davidz at redhat.com>

        * tools/hal-system-storage-mount: Fix a potential security hole where
        the user could pass e.g. umask=`/bin/evil` and thus execute /bin/evil
        with root priviliges. Also require /bin/bash instead of just /bin/sh.
        Reported by Kay Sievers <kay.sievers at vrfy.org>.



Index: hal-system-storage-mount
===================================================================
RCS file: /cvs/hal/hal/tools/hal-system-storage-mount,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -d -r1.9 -r1.10
--- hal-system-storage-mount	8 Jan 2006 22:27:03 -0000	1.9
+++ hal-system-storage-mount	11 Jan 2006 02:44:46 -0000	1.10
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 # Copyright (C) 2005, Kay Sievers <kay.sievers at vrfy.org>
 # Copyright (C) 2006, David Zeuthen <david at fubar.dk>
@@ -106,10 +106,10 @@
 			fi
 		    fi
 		    		    
-		    # make sure the part after the '=' don't contain any commas otherwise an attacker may
-		    # pass e.g. umask=0600,suid,dev and this will get merged into $MOUNTOPTIONS - just replace
-		    # ',' with '_'
-		    MODIFIED_OPTION=${OPTION//,/_}
+		    # Only allow ^a-zA-Z0-9_= in the string because otherwise an attacker may
+		    # pass e.g. umask=0600,suid,dev or umask=`/bin/evil` and this will get merged
+		    # into $MOUNTOPTIONS - Simply replace illegal characters with an underscore
+		    MODIFIED_OPTION=${OPTION//[^a-zA-Z0-9_=]/_}
 		    MOUNTOPTIONS="$MOUNTOPTIONS,$MODIFIED_OPTION"
 		    OPTION_WAS_OK="1"
 		fi