From e1e8c60af73fa2c61539c9e201a1db623be55b69 Mon Sep 17 00:00:00 2001 From: Hans Ulrich Niedermann Date: Wed, 21 Oct 2020 22:40:18 +0200 Subject: [PATCH] test-env-util: Verify that \r is disallowed in env var values This adds tests to make sure that basic/env-util considers environment variables containing \r characters invalid, and that it removes such variables during environment cleanup in strv_env_clean*(). test-env-util has not verified this behaviour before. As \r characters can be used to hide information, disallowing them helps with systemd's security barrier role, even when the \r character comes as part of a DOS style (\r\n) line ending. Prompted-by: https://github.com/systemd/systemd/issues/17378 --- src/test/test-env-util.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/test/test-env-util.c b/src/test/test-env-util.c index b0af660e3ba..4fede158cd0 100644 --- a/src/test/test-env-util.c +++ b/src/test/test-env-util.c @@ -264,6 +264,7 @@ static void test_env_clean(void) { "xyz=xyz\n", "another=one", "another=final one", + "CRLF=\r\n", "BASH_FUNC_foo%%=() { echo foo\n}"); assert_se(e); assert_se(!strv_env_is_valid(e)); @@ -306,6 +307,8 @@ static void test_env_value_is_valid(void) { assert_se(env_value_is_valid("printf \"\\x1b]0;\\x07\"")); assert_se(env_value_is_valid("tab\tcharacter")); assert_se(env_value_is_valid("new\nline")); + assert_se(!env_value_is_valid("Show this?\rNope. Show that!")); + assert_se(!env_value_is_valid("new DOS\r\nline")); } static void test_env_assignment_is_valid(void) {