base-files: don't evaluate block-device uevent
authorDaniel Golle <daniel@makrotopia.org>
Mon, 12 Feb 2018 22:36:54 +0000 (23:36 +0100)
committerDaniel Golle <daniel@makrotopia.org>
Mon, 12 Feb 2018 23:01:44 +0000 (00:01 +0100)
commit267873ac9b9e5565f1f1550c931c413f5b5dda9d
treec0106de9dcadc57b5386b1e732d14866057343ab
parent49d3c5f057768cfc6e0545267256c64baf19a4e2
base-files: don't evaluate block-device uevent

Current code and also before commit da52dd0c83 was vulnerable to shell
injection using volume lables in the GPT partition table of block
devices. Given that partition names can be freely defined in GPT tables
we really shouldn't evaluate a string which is potentially crafted with
evil intentions. Hence rather use `export -n` to absorb the uevent's
variables into the environment.

Fixes commit da52dd0c83 (base-files: quote values when evaluating uevent)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[mschiffer@universe-factory.net: suggested export -n usage]
package/base-files/files/lib/upgrade/common.sh