File at-3.1.14-sane-envkeys.patch of Package at.8355

commit 482f5962d9584d6110b940f0f51ab5919a6eb8a0
Author: Ansgar Burchardt <ansgar@debian.org>
Date:   Sun Sep 28 17:06:12 2014 +0200

    at: only retain variables whose name consists of alphanumerics and underscores
    
    Since a recent security update[1] bash might export variables named
    BASH_FUNC_*() to the environment which the serialization code in at
    cannot handle properly.
    
      [1] <https://www.debian.org/security/2014/dsa-3035>

Index: at-3.1.14/at.c
===================================================================
--- at-3.1.14.orig/at.c
+++ at-3.1.14/at.c
@@ -389,6 +389,22 @@ writefile(time_t runtimer, char queue)
 	int export = 1;
 	char *eqp;
 
+        /* Only accept alphanumerics and underscore in variable names.
+         * Also require the name to not start with a digit.
+         * Some shells don't like other variable names.
+         */
+        {
+            char *p = *atenv;
+            if (isdigit(*p))
+                export = 0;
+            for (; *p != '=' && *p != '\0'; ++p) {
+                if (!isalnum(*p) && *p != '_') {
+                    export = 0;
+                    break;
+                }
+            }
+        }
+
 	eqp = strchr(*atenv, '=');
 	if (ap == NULL)
 	    eqp = *atenv;
openSUSE Build Service is sponsored by