security: Round 6.3 shell command substitution fix (A18)

A18: Fix shell command substitution  syntax
- expand_vars was adding '(' at the start but missing ')' at the end
- Added closing parenthesis to properly wrap subshell command
- Changed cmd[1 + cmdlen] = '\0' to cmd[1 + cmdlen] = ')' and cmd[2 + cmdlen] = '\0'

Tests: 119/119 PASS (smoke test, SMP=4)

diff --git a/user/cmds/sh/sh.c b/user/cmds/sh/sh.c
index 3c60632242509560d50c0f25fd96843c8343c1df..c00d7a4c334509de3a288959de09189fceef8e37 100644 (file)
--- a/user/cmds/sh/sh.c
+++ b/user/cmds/sh/sh.c
@@ -472,7 +472,8 @@ static void expand_vars(const char* src, char* dst, int maxlen) {
                 char cmd[258];
                 cmd[0] = '(';  /* wrap in subshell */
                 memcpy(cmd + 1, start, (size_t)cmdlen);
-                cmd[1 + cmdlen] = '\0';
+                cmd[1 + cmdlen] = ')';  /* A18: add closing parenthesis */
+                cmd[2 + cmdlen] = '\0';
                 int pfd[2];
                 if (pipe(pfd) == 0) {
                     int pid = fork();