From 83ec1ca58e4188337e5d99546b26386b163285fa Mon Sep 17 00:00:00 2001 From: Tulio A M Mendes Date: Mon, 25 May 2026 16:21:33 -0300 Subject: [PATCH] security: Round 6.3 shell command substitution fix (A18) A18: Fix shell command substitution syntax - expand_vars was adding '(' at the start but missing ')' at the end - Added closing parenthesis to properly wrap subshell command - Changed cmd[1 + cmdlen] = '\0' to cmd[1 + cmdlen] = ')' and cmd[2 + cmdlen] = '\0' Tests: 119/119 PASS (smoke test, SMP=4) --- user/cmds/sh/sh.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/user/cmds/sh/sh.c b/user/cmds/sh/sh.c index 3c606322..c00d7a4c 100644 --- a/user/cmds/sh/sh.c +++ b/user/cmds/sh/sh.c @@ -472,7 +472,8 @@ static void expand_vars(const char* src, char* dst, int maxlen) { char cmd[258]; cmd[0] = '('; /* wrap in subshell */ memcpy(cmd + 1, start, (size_t)cmdlen); - cmd[1 + cmdlen] = '\0'; + cmd[1 + cmdlen] = ')'; /* A18: add closing parenthesis */ + cmd[2 + cmdlen] = '\0'; int pfd[2]; if (pipe(pfd) == 0) { int pid = fork(); -- 2.43.0