It appears that there is some wordexp() use that may depend on security
of WRDE_NOCMD. The current wordexp() allows arbitrary command execution
even if WRDE_NOCMD is set, since shell syntax is too complicated to detect
command substitution and unquoted operators reliably without implementing
much of sh's parser. This diff fixes this by adding some functionality to sh
(as opposed to implementing a full shell parser in libc).
The new functionality is an undocumented builtin utility freebsd_wordexp
that invokes the parser and expansion code. The old undocumented builtin
utility wordexp may be removed at some point.
The basic concept is:
execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2",
"", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>);
Apart from implementing wordexp(), freebsd_wordexp is also useful to
fuzz more of sh than can be reached via sh -n. I fixed two bugs in the
expansion code via fuzzing (already committed as r287081 and r287148).
I may use this freebsd_ prefix more often for non-standard functionality.
While changing sh's support anyway, also read input from a pipe instead of
arguments to avoid {ARG_MAX} limits and improve privacy, and output count
and length using 16 instead of 8 digits.
The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to
fail strings containing unquoted braces with code WRDE_BADCHAR. Since this
is normally not a syntax error in sh, there is still a need for checking
code in libc, we_check().
The new we_check() is an optimistic check that all the characters
<newline> | & ; < > ( ) { }are quoted. To avoid duplicating too much sh logic, such characters are
permitted when quoting characters are seen, even if the quoting characters
may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad
characters that get past it and are a syntax error in sh return WRDE_SYNTAX.