This issue seems fairly minor, but RHEL (and maybe others) allow INPUTRC through sudo by default so perhaps this warrants some attention.
Something silly like: echo '$include /tmp/X' > /tmp/X INPUTRC=/tmp/X sudo bash -c 'read -e' Will segfault: Program terminated with signal 11, Segmentation fault. #0 0x00007f275ac948d7 in __GI___libc_malloc (bytes=bytes@entry=7) at malloc.c:2895 2895 victim = _int_malloc(ar_ptr, bytes); (gdb) bt #0 0x00007f275ac948d7 in __GI___libc_malloc (bytes=bytes@entry=7) at malloc.c:2895 #1 0x0000000000474e40 in xmalloc (bytes=bytes@entry=7) at xmalloc.c:112 #2 0x00000000004bc6c3 in tilde_expand (string=string@entry=0x1217369 "/tmp/X") at ./tilde.c:202 (at slightly different places, depending on other directives in the file). Since there is already current_readline_init_include_level, maybe implementing a max level for $include’s would be worthwhile. The devel version of readline also has a lot more _rl_init_file_error calls that include portions of the parsed file, which would allow leaking portions of arbitrary file content. That’s probably more of a concern for sudo package maintainers though.
_______________________________________________ Bug-readline mailing list [email protected] https://lists.gnu.org/mailman/listinfo/bug-readline
