Security: Explicitly define IFS to prevent misuse.

The scripts are written with certain expectations.
This expectation may not be properly met if the `IFS` value is changed.
This can potentially be used to create some sort of exploit.

Explicitly define IFS and then do so at a local variable scope to prevent affecting the callers IFS setting.

Simplify some of the Controller rules.

diff --git a/data/data/controller/example/cgroup/rules/program/chromium.rule b/data/data/controller/example/cgroup/rules/program/chromium.rule
index f332b7057dad7f6ad2e898a64ac476f8346fbaf2..38d455ceb47ab29a97a457f9775bb65bd48d69f0 100644 (file)
--- a/data/data/controller/example/cgroup/rules/program/chromium.rule
+++ b/data/data/controller/example/cgroup/rules/program/chromium.rule
@@ -13,15 +13,21 @@ settings:
 
 script:
   start {
 
 script:
   start {

-    if [[ $(xhost | grep '^SI:localuser:some_user$') == "" ]] ; then
-      xhost SI:localuser:some_user
-    fi
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.

 
 

-    if [[ $DISPLAY == "" ]] ; then
-      export DISPLAY=:0.0
-    fi
+      if [[ $(xhost | grep '^SI:localuser:some_user$') == "" ]] ; then
+        xhost SI:localuser:some_user
+      fi

 
 

-    export WEBKIT_DISABLE_COMPOSITING_MODE=1
+      if [[ $DISPLAY == "" ]] ; then
+        export DISPLAY=:0.0
+      fi
+
+      export WEBKIT_DISABLE_COMPOSITING_MODE=1
+    \}
+
+    main ${*}

   }
 
 command:
   }
 
 command:

diff --git a/data/data/controller/example/cgroup/rules/program/falkon.rule b/data/data/controller/example/cgroup/rules/program/falkon.rule
index f7458c5361edab650cbe82af902e3c40e81fe831..94bd242a65a97806a19f8d15b7ee904fca48fbb9 100644 (file)
--- a/data/data/controller/example/cgroup/rules/program/falkon.rule
+++ b/data/data/controller/example/cgroup/rules/program/falkon.rule
@@ -13,13 +13,19 @@ settings:
 
 script:
   start {
 
 script:
   start {

-    if [[ $(xhost | grep '^SI:localuser:some_user$') == "" ]] ; then
-      xhost SI:localuser:some_user
-    fi
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.

 
 

-    if [[ $DISPLAY == "" ]] ; then
-      export DISPLAY=:0.0
-    fi
+      if [[ $(xhost | grep '^SI:localuser:some_user$') == "" ]] ; then
+        xhost SI:localuser:some_user
+      fi
+
+      if [[ $DISPLAY == "" ]] ; then
+        export DISPLAY=:0.0
+      fi
+    \}
+
+    main ${*}

   }
 
 command:
   }
 
 command:

diff --git a/data/data/controller/example/cgroup/rules/program/firefox.rule b/data/data/controller/example/cgroup/rules/program/firefox.rule
index 196d6d06c87a545d010d89be0834827f7fa4830b..9f36b697f9e5ff0ae86d979439d978dc493f139d 100644 (file)
--- a/data/data/controller/example/cgroup/rules/program/firefox.rule
+++ b/data/data/controller/example/cgroup/rules/program/firefox.rule
@@ -13,13 +13,19 @@ settings:
 
 script:
   start {
 
 script:
   start {

-    if [[ $(xhost | grep '^SI:localuser:some_user$') == "" ]] ; then
-      xhost SI:localuser:some_user
-    fi
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.

 
 

-    if [[ $DISPLAY == "" ]] ; then
-      export DISPLAY=:0.0
-    fi
+      if [[ $(xhost | grep '^SI:localuser:some_user$') == "" ]] ; then
+        xhost SI:localuser:some_user
+      fi
+
+      if [[ $DISPLAY == "" ]] ; then
+        export DISPLAY=:0.0
+      fi
+    \}
+
+    main ${*}

   }
 
 command:
   }
 
 command:

diff --git a/data/data/controller/example/cgroup/rules/program/terminator.rule b/data/data/controller/example/cgroup/rules/program/terminator.rule
index 79f373e46d542366db38effc4a485c0747ef7be6..d1ea68ca32ec1925ab71607105b8f9851479f722 100644 (file)
--- a/data/data/controller/example/cgroup/rules/program/terminator.rule
+++ b/data/data/controller/example/cgroup/rules/program/terminator.rule
@@ -13,13 +13,19 @@ settings:
 
 script:
   start {
 
 script:
   start {

-    if [[ $(xhost | grep '^SI:localuser:some_user$') == "" ]] ; then
-      xhost SI:localuser:some_user
-    fi
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.

 
 

-    if [[ $DISPLAY == "" ]] ; then
-      export DISPLAY=:0.0
-    fi
+      if [[ $(xhost | grep '^SI:localuser:some_user$') == "" ]] ; then
+        xhost SI:localuser:some_user
+      fi
+
+      if [[ $DISPLAY == "" ]] ; then
+        export DISPLAY=:0.0
+      fi
+    \}
+
+    main ${*}

   }
 
 command:
   }
 
 command:

diff --git a/data/data/controller/example/cgroup/rules/setup/cgroups.rule b/data/data/controller/example/cgroup/rules/setup/cgroups.rule
index b86e1cee668abc01aa31885e8cd0c46459619d2b..2020e5fdc5f8912a3dd2573cc44cc1dd3e6c220b 100644 (file)
--- a/data/data/controller/example/cgroup/rules/setup/cgroups.rule
+++ b/data/data/controller/example/cgroup/rules/setup/cgroups.rule
@@ -16,6 +16,8 @@ script:
 
   start {
     main() {
 
   start {
     main() {

+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+

       # Example PATH containing the FLL programs at a custom isolated directory.
       PATH=/usr/local/fll/programs/shared/:$PATH
 
       # Example PATH containing the FLL programs at a custom isolated directory.
       PATH=/usr/local/fll/programs/shared/:$PATH
 


@@ -148,5 +150,5 @@ script:
       return 0
     \}
 
       return 0
     \}
 

-    main
+    main ${*}

   }
   }

diff --git a/data/data/controller/example/init/rules/boot/devices.rule b/data/data/controller/example/init/rules/boot/devices.rule
index 61d3038aa016cb0f964e3fea47457a7dad1e6883..f7a841856a2be91a398f4f44ccbad94aba0680ca 100644 (file)
--- a/data/data/controller/example/init/rules/boot/devices.rule
+++ b/data/data/controller/example/init/rules/boot/devices.rule
@@ -14,15 +14,21 @@ settings:
 
 script:
   start {
 
 script:
   start {

-    if [[ ! -d /dev/pts ]] ; then
-      mkdir /dev/pts
-    fi
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.

 
 

-    if [[ ! -d /dev/shm ]] ; then
-      mkdir /dev/shm
-    fi
+      if [[ ! -d /dev/pts ]] ; then
+        mkdir /dev/pts
+      fi

 
 

-    exit 0
+      if [[ ! -d /dev/shm ]] ; then
+        mkdir /dev/shm
+      fi
+
+      return 0
+    \}
+
+    main ${*}

   }
 
 command:
   }
 
 command:

diff --git a/data/data/controller/example/init/rules/boot/file_system.rule b/data/data/controller/example/init/rules/boot/file_system.rule
index 41e6932b40ee86e6e5605d54102e0d6fbae6ffaf..fb763fe14f851be75959a5fac851bc0bcb2910a2 100644 (file)
--- a/data/data/controller/example/init/rules/boot/file_system.rule
+++ b/data/data/controller/example/init/rules/boot/file_system.rule
@@ -23,7 +23,13 @@ command:
 
 script:
   start {
 
 script:
   start {

-    if [[ ! -d /var/run/init ]] ; then
-      mkdir /var/run/init
-    fi
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+
+      if [[ ! -d /var/run/init ]] ; then
+        mkdir /var/run/init
+      fi
+    \}
+
+    main ${*}

   }
   }

diff --git a/data/data/controller/example/init/rules/boot/modules.rule b/data/data/controller/example/init/rules/boot/modules.rule
index 5572d90e50484767692c766b9181a17dc0617b06..eb0c88cd955f4ebf285da1566d4568214c50e2c5 100644 (file)
--- a/data/data/controller/example/init/rules/boot/modules.rule
+++ b/data/data/controller/example/init/rules/boot/modules.rule
@@ -12,17 +12,23 @@ settings:
 
 script:
   start {
 
 script:
   start {

-    if [[ ! -f /proc/modules ]] ; then
-      exit 0
-    fi
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.

 
 

-    if [[ -d /modules ]] ; then
-      if [[ ! -e /modules/$(uname -r)/modules.dep ]] ; then
-        depmod
-      else
-        depmod -A
+      if [[ ! -f /proc/modules ]] ; then
+        exit 0

       fi
       fi

-    fi

 
 

-    exit 0
+      if [[ -d /modules ]] ; then
+        if [[ ! -e /modules/$(uname -r)/modules.dep ]] ; then
+          depmod
+        else
+          depmod -A
+        fi
+      fi
+
+      return 0
+    \}
+
+    main ${*}

   }
   }

diff --git a/data/data/controller/example/init/rules/boot/proc.rule b/data/data/controller/example/init/rules/boot/proc.rule
index acb9fa5487968027a747047a575b6498ab041e94..28b605f44be22b98a7ee2e70b98063c5d9cce529 100644 (file)
--- a/data/data/controller/example/init/rules/boot/proc.rule
+++ b/data/data/controller/example/init/rules/boot/proc.rule
@@ -13,17 +13,29 @@ command:
 
 script:
   start {
 
 script:
   start {

-    if [[ -d /proc/bus/usb ]] ; then
-      mount /proc/bus/usb
-    fi
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.

 
 

-    exit 0
+      if [[ -d /proc/bus/usb ]] ; then
+        mount /proc/bus/usb
+      fi
+
+      return 0
+    \}
+
+    main ${*}

   }
 
   stop {
   }
 
   stop {

-    if [[ -d /proc/bus/usb ]] ; then
-      umount -l /proc/bus/usb
-    fi
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+
+      if [[ -d /proc/bus/usb ]] ; then
+        umount -l /proc/bus/usb
+      fi
+
+      return 0
+    \}

 
 

-    exit 0
+    main ${*}

   }
   }

diff --git a/data/data/controller/example/init/rules/boot/root.rule b/data/data/controller/example/init/rules/boot/root.rule
index 5f3abf6c200ae830552581df2a95a8bb8f96d446..dcdeae78cf5493b9414fe7198d155747835becaa 100644 (file)
--- a/data/data/controller/example/init/rules/boot/root.rule
+++ b/data/data/controller/example/init/rules/boot/root.rule
@@ -11,57 +11,18 @@ command:
 
 script:
   start {
 
 script:
   start {

-    if [[ ! -d /dev ]] ; then
-      mkdir /dev
-    fi
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+      local i=

 
 

-    if [[ ! -d /dev/pts ]] ; then
-      mkdir /dev/pts
-    fi
+      for i in /dev /dev/pts /dev/shm /firmware /mnt /modules /proc /sys /tmp /var /var/log /var/run /var/tmp ; do
+        if [[ ! -d ${i} ]] ; then
+          mkdir ${i}
+        fi
+      done

 
 

-    if [[ ! -d /dev/shm ]] ; then
-      mkdir /dev/shm
-    fi
+      return 0
+    \}

 
 

-    if [[ ! -d /firmware ]] ; then
-      mkdir /firmware
-    fi
-
-    if [[ ! -d /mnt ]] ; then
-      mkdir /mnt
-    fi
-
-    if [[ ! -d /modules ]] ; then
-      mkdir /modules
-    fi
-
-    if [[ ! -d /proc ]] ; then
-      mkdir /proc
-    fi
-
-    if [[ ! -d /sys ]] ; then
-      mkdir /sys
-    fi
-
-    if [[ ! -d /tmp ]] ; then
-      mkdir /tmp
-    fi
-
-    if [[ ! -d /var ]] ; then
-      mkdir /var
-    fi
-
-    if [[ ! -d /var/log ]] ; then
-      mkdir /var/log
-    fi
-
-    if [[ ! -d /var/run ]] ; then
-      mkdir /var/run
-    fi
-
-    if [[ ! -d /var/tmp ]] ; then
-      mkdir /var/tmp
-    fi
-
-    exit 0
+    main ${*}

   }
   }

diff --git a/data/data/controller/example/init/rules/net/loopback.rule b/data/data/controller/example/init/rules/net/loopback.rule
index 9377cddb0fcce4657136479601ef25e238eaa477..1ac8841f263c214977ea7701bffe957a9e68df99 100644 (file)
--- a/data/data/controller/example/init/rules/net/loopback.rule
+++ b/data/data/controller/example/init/rules/net/loopback.rule
@@ -10,10 +10,22 @@ settings:
 
 script:
   start {
 
 script:
   start {

-    ip addr add 127.0.0.1/8 label lo dev lo
-    ip link set lo up
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+
+      ip addr add 127.0.0.1/8 label lo dev lo
+      ip link set lo up
+    \}
+
+    main ${*}

   }
 
   stop {
   }
 
   stop {

-    ip link set lo down
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+
+      ip link set lo down
+    \}
+
+    main ${*}

   }
   }

diff --git a/data/data/controller/example/init/rules/service/mouse.rule b/data/data/controller/example/init/rules/service/mouse.rule
index ad970954d2202fda46eed5f1afea3ff40cf5f0aa..ecfcb3822fbd504e49ca71a3be0e3c2975647f59 100644 (file)
--- a/data/data/controller/example/init/rules/service/mouse.rule
+++ b/data/data/controller/example/init/rules/service/mouse.rule
@@ -10,10 +10,16 @@ settings:
 
 script:
   start {
 
 script:
   start {

-    # This works if gpm service is run as root, but if not then this should be in a separate rule file with appropriate access to write to /var/run (don't forget to chown!).
-    if [[ ! -d /var/run/mouse/ && -d /var/run ]] ; then
-      mkdir /var/run/mouse/
-    fi
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+
+      # This works if gpm service is run as root, but if not then this should be in a separate rule file with appropriate access to write to /var/run (don't forget to chown!).
+      if [[ ! -d /var/run/mouse/ && -d /var/run ]] ; then
+        mkdir /var/run/mouse/
+      fi
+    \}
+
+    main ${*}

   }
 
 service:
   }
 
 service:

diff --git a/data/data/controller/example/init/rules/task/clock.rule b/data/data/controller/example/init/rules/task/clock.rule
index 663f15992ece7cd217be3d7c372e511ebf1f9fe3..6463e57dcb5f49acc0826753b2ce345ea8239f84 100644 (file)
--- a/data/data/controller/example/init/rules/task/clock.rule
+++ b/data/data/controller/example/init/rules/task/clock.rule
@@ -13,27 +13,33 @@ settings:
 
 script:
   start {
 
 script:
   start {

-    clock_file=/etc/clock
-    clock_mode=
-    clock_server=
-    clock_ntpdate=
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.

 
 

-    if [[ -f $clock_file ]] ; then
-      clock_mode=$(fss_basic_read -can 0 mode $clock_file);
-      clock_server=$(fss_basic_read -can 0 server $clock_file)
-      clock_ntpdate=$(fss_basic_read -can 0 ntpdate $clock_file)
-    fi
+      local clock_file=/etc/clock
+      local clock_mode=
+      local clock_server=
+      local clock_ntpdate=

 
 

-    if [[ $clock_mode == "local" ]] ; then
-      hwclock --hctosys;
-    elif [[ $clock_mode == "ntp"  ]] ; then
-      if [[ $clock_ntpdate == "yes" ]] ; then
-        ntpdate $clock_server &&
-        hwclock --systohc --utc
+      if [[ -f $clock_file ]] ; then
+        clock_mode=$(fss_basic_read -can 0 mode $clock_file);
+        clock_server=$(fss_basic_read -can 0 server $clock_file)
+        clock_ntpdate=$(fss_basic_read -can 0 ntpdate $clock_file)

       fi
       fi

-    elif [[ $clock_mode == "ntpdate" && $clock_host != "" ]] ; then
-      ntpdate $clock_server
-    elif [[ $clock_mode == "utc" ]] ; then
-      hwclock --hctosys --utc;
-    fi
+
+      if [[ $clock_mode == "local" ]] ; then
+        hwclock --hctosys;
+      elif [[ $clock_mode == "ntp"  ]] ; then
+        if [[ $clock_ntpdate == "yes" ]] ; then
+          ntpdate $clock_server &&
+          hwclock --systohc --utc
+        fi
+      elif [[ $clock_mode == "ntpdate" && $clock_host != "" ]] ; then
+        ntpdate $clock_server
+      elif [[ $clock_mode == "utc" ]] ; then
+        hwclock --hctosys --utc;
+      fi
+    \}
+
+    main ${*}

   }
   }

diff --git a/data/data/controller/example/init/rules/task/ntpdate.rule b/data/data/controller/example/init/rules/task/ntpdate.rule
index 5956114a40859ac5ef6c3a6cb5b869775f7caf19..f8d35bded2163ffb04122f89ca8e8ac87bbe565a 100644 (file)
--- a/data/data/controller/example/init/rules/task/ntpdate.rule
+++ b/data/data/controller/example/init/rules/task/ntpdate.rule
@@ -13,16 +13,22 @@ settings:
 
 script:
   start {
 
 script:
   start {

-    clock_file=/etc/clock
-    clock_mode=
-    clock_server=
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.

 
 

-    if [[ -f $clock_file ]] ; then
-      clock_mode=$(fss_basic_read -can 0 mode $clock_file);
-      clock_server=$(fss_basic_read -can 0 server $clock_file)
-    fi
+      local clock_file=/etc/clock
+      local clock_mode=
+      local clock_server=

 
 

-    if [[ $clock_mode == "ntpdate" && $clock_host != "" ]] ; then
-      ntpdate $clock_server
-    fi
+      if [[ -f $clock_file ]] ; then
+        clock_mode=$(fss_basic_read -can 0 mode $clock_file);
+        clock_server=$(fss_basic_read -can 0 server $clock_file)
+      fi
+
+      if [[ $clock_mode == "ntpdate" && $clock_host != "" ]] ; then
+        ntpdate $clock_server
+      fi
+    \}
+
+    main ${*}

   }
   }

diff --git a/data/data/controller/example/miscellaneous/rules/command/multiple.rule b/data/data/controller/example/miscellaneous/rules/command/multiple.rule
index 8b3fd73147d23d93db97b367cdf1061778f7e337..32ff117b0ef7ed39b263aab691679a8247410161 100644 (file)
--- a/data/data/controller/example/miscellaneous/rules/command/multiple.rule
+++ b/data/data/controller/example/miscellaneous/rules/command/multiple.rule
@@ -19,20 +19,32 @@ settings:
 
 script:
   start {
 
 script:
   start {

-    echo
-    echo "Current ulimit is"
-    ulimit -a
-    sleep 5
-
-    echo
-    echo "Current cgroup for self (PPID $PPID, PID $$) is: '$(cat /proc/self/cgroup)'"
-    sleep 5
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+
+      echo
+      echo "Current ulimit is"
+      ulimit -a
+      sleep 5
+
+      echo
+      echo "Current cgroup for self (PPID $PPID, PID $$) is: '$(cat /proc/self/cgroup)'"
+      sleep 5
+    \}
+
+    main ${*}

   }
 
 command:
   start {
   }
 
 command:
   start {

-    id
-    sleep 5
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+
+      id
+      sleep 5
+    \}
+
+    main ${*}

   }
 
 script:
   }
 
 script:

diff --git a/data/data/controller/example/miscellaneous/rules/environment/default.rule b/data/data/controller/example/miscellaneous/rules/environment/default.rule
index 4efe7e42e807cdfdd3af263a5b1437b0ea95ee34..dffe66be7dee6f0dda5f84542f04aa012e143f31 100644 (file)
--- a/data/data/controller/example/miscellaneous/rules/environment/default.rule
+++ b/data/data/controller/example/miscellaneous/rules/environment/default.rule
@@ -9,10 +9,16 @@ settings:
 
 script:
   start {
 
 script:
   start {

-    echo
-    echo "==================================="
-    echo "Environment using default settings."
-    echo "==================================="
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.

 
 

-    env
+      echo
+      echo "==================================="
+      echo "Environment using default settings."
+      echo "==================================="
+
+      env
+    \}
+
+    main ${*}

   }
   }

diff --git a/data/data/controller/example/miscellaneous/rules/environment/empty.rule b/data/data/controller/example/miscellaneous/rules/environment/empty.rule
index c0411873208fc39fd2c4743cef90514ecd795b0d..fdb479430d03f95a4081d52fe5b9e32eec70ff76 100644 (file)
--- a/data/data/controller/example/miscellaneous/rules/environment/empty.rule
+++ b/data/data/controller/example/miscellaneous/rules/environment/empty.rule
@@ -10,10 +10,16 @@ settings:
 
 script:
   start {
 
 script:
   start {

-    echo
-    echo "============================="
-    echo "Environment allowing nothing."
-    echo "============================="
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.

 
 

-    env
+      echo
+      echo "============================="
+      echo "Environment allowing nothing."
+      echo "============================="
+
+      env
+    \}
+
+    main ${*}

   }
   }

diff --git a/data/data/controller/example/miscellaneous/rules/environment/exported.rule b/data/data/controller/example/miscellaneous/rules/environment/exported.rule
index d8c204fdaa1bee0381dd82d739425cc0a0695d36..a7e626babea4952da7815d8d73d78db260bc2c0b 100644 (file)
--- a/data/data/controller/example/miscellaneous/rules/environment/exported.rule
+++ b/data/data/controller/example/miscellaneous/rules/environment/exported.rule
@@ -10,10 +10,16 @@ settings:
 
 script:
   start {
 
 script:
   start {

-    echo
-    echo "=========================="
-    echo "Environment allowing PATH."
-    echo "=========================="
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.

 
 

-    env
+      echo
+      echo "=========================="
+      echo "Environment allowing PATH."
+      echo "=========================="
+
+      env
+    \}
+
+    main ${*}

   }
   }

diff --git a/data/data/controller/example/miscellaneous/rules/environment/exporting.rule b/data/data/controller/example/miscellaneous/rules/environment/exporting.rule
index d2b3dadf0c588d9c0fa62a7a2a8b3df9dd651914..5b4cd9b8056a2eed27a697741fc2a9005b93a3cc 100644 (file)
--- a/data/data/controller/example/miscellaneous/rules/environment/exporting.rule
+++ b/data/data/controller/example/miscellaneous/rules/environment/exporting.rule
@@ -10,15 +10,21 @@ settings:
 
 script:
   start {
 
 script:
   start {

-    echo
-    echo "================================="
-    echo "Exported Environment is isolated."
-    echo "================================="
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.

 
 

-    export custom_variable="is not retained"
-    echo "export custom_variable='$custom_variable'"
-    echo
-    echo "Now for 'env' command:"
+      echo
+      echo "================================="
+      echo "Exported Environment is isolated."
+      echo "================================="
+
+      export custom_variable="is not retained"
+      echo "export custom_variable='$custom_variable'"
+      echo
+      echo "Now for 'env' command:"
+    \}
+
+    main ${*}

   }
 
 command:
   }
 
 command:

diff --git a/data/data/controller/example/miscellaneous/rules/maintenance/boom.rule b/data/data/controller/example/miscellaneous/rules/maintenance/boom.rule
index 727850672b1319d7bdecfc23d4075e36121660e7..4a4fa8dba6f1724fdc6ad1d9090ed1ffb144b73d 100644 (file)
--- a/data/data/controller/example/miscellaneous/rules/maintenance/boom.rule
+++ b/data/data/controller/example/miscellaneous/rules/maintenance/boom.rule
@@ -6,6 +6,12 @@ settings:
 
 script:
   start {
 
 script:
   start {

-    echo "kaboooom!"
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+
+      echo "kaboooom!"
+    \}
+
+    main ${*}

   }
 
   }
 

diff --git a/data/data/controller/example/miscellaneous/rules/script/create_socket_path.rule b/data/data/controller/example/miscellaneous/rules/script/create_socket_path.rule
index 796b3669450f2f876cbc85db2c9d50acc10707e2..5b3b210f5a5fd976723b6aeccde947b064013e74 100644 (file)
--- a/data/data/controller/example/miscellaneous/rules/script/create_socket_path.rule
+++ b/data/data/controller/example/miscellaneous/rules/script/create_socket_path.rule
@@ -8,7 +8,13 @@ settings:
 
 script:
   start {
 
 script:
   start {

-    if [[ ! -d "parameter:"socket"" ]] ; then
-      mkdir parameter:"verbose" -p parameter:"socket"
-    fi
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+
+      if [[ ! -d "parameter:"socket"" ]] ; then
+        mkdir parameter:"verbose" -p parameter:"socket"
+      fi
+    \}
+
+    main ${*}

   }
   }

diff --git a/data/data/controller/example/miscellaneous/rules/script/fail.rule b/data/data/controller/example/miscellaneous/rules/script/fail.rule
index dd77b4138d50b4796c0c82225846d4178bf5cec2..536b4e54c9e7708d8b09ba6de34456e23deb1aa1 100644 (file)
--- a/data/data/controller/example/miscellaneous/rules/script/fail.rule
+++ b/data/data/controller/example/miscellaneous/rules/script/fail.rule
@@ -7,8 +7,12 @@ settings:
 script:
   start {
     \#!/bin/bash
 script:
   start {
     \#!/bin/bash

+

     my_function() {
     my_function() {

+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+

       echo "Hello this is the last script, it should trigger failure."
       echo "Hello this is the last script, it should trigger failure."

+

       return 1;
     \}
 
       return 1;
     \}
 

diff --git a/data/data/controller/example/miscellaneous/rules/script/iki.rule b/data/data/controller/example/miscellaneous/rules/script/iki.rule
index c4519182f95f2832df6596cc1b9b3cf875735eba..6f34ddbcf59af1487cfb0920f69501ce56c41b23 100644 (file)
--- a/data/data/controller/example/miscellaneous/rules/script/iki.rule
+++ b/data/data/controller/example/miscellaneous/rules/script/iki.rule
@@ -9,22 +9,29 @@ settings:
 script:
   start {
     \#!/bin/bash
 script:
   start {
     \#!/bin/bash

-    echo "====================================="
-    env
-    echo "====================================="
-    echo "IKI Path is 'define:"PATH"'"
-    echo "IKI define IKI_TEST 'define:"IKI_TEST"'"
-    echo "ENV IKI_TEST '$IKI_TEST'"
-    echo "Some Parameter is 'parameter:"some"'"
-    echo "Unknown parameter is: 'parameter:"unknown"'"
-    echo "Unknown environment is: 'define:"unknown"'"
-    echo "Unavailable environment via IKI: 'define:"USER"'"
-    echo "Unavailable environment via ENV: '$USER'"
-    echo "Program parameter verbose: 'program:"verbose"'"
-    echo "Program parameter verbose(option): 'program:"verbose:option"'"
-    echo "Program parameter verbose(value): 'program:"verbose:value"'"
-    echo "Program parameter PID: 'program:"pid"'"
-    echo "Program parameter PID(option): 'program:"pid:option"'"
-    echo "Program parameter PID(value): 'program:"pid:value"'"
-    echo "====================================="
+
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+
+      echo "====================================="
+      env
+      echo "====================================="
+      echo "IKI Path is 'define:"PATH"'"
+      echo "IKI define IKI_TEST 'define:"IKI_TEST"'"
+      echo "ENV IKI_TEST '$IKI_TEST'"
+      echo "Some Parameter is 'parameter:"some"'"
+      echo "Unknown parameter is: 'parameter:"unknown"'"
+      echo "Unknown environment is: 'define:"unknown"'"
+      echo "Unavailable environment via IKI: 'define:"USER"'"
+      echo "Unavailable environment via ENV: '$USER'"
+      echo "Program parameter verbose: 'program:"verbose"'"
+      echo "Program parameter verbose(option): 'program:"verbose:option"'"
+      echo "Program parameter verbose(value): 'program:"verbose:value"'"
+      echo "Program parameter PID: 'program:"pid"'"
+      echo "Program parameter PID(option): 'program:"pid:option"'"
+      echo "Program parameter PID(value): 'program:"pid:value"'"
+      echo "====================================="
+    \}
+
+    main ${*}

   }
   }

diff --git a/data/data/controller/example/miscellaneous/rules/serial/s_1.rule b/data/data/controller/example/miscellaneous/rules/serial/s_1.rule
index bb84e2da7e54b57ac06c86bfe4efba19bd6bac85..a66184611b6973724da3644699ba8000a8a5d41e 100644 (file)
--- a/data/data/controller/example/miscellaneous/rules/serial/s_1.rule
+++ b/data/data/controller/example/miscellaneous/rules/serial/s_1.rule
@@ -6,13 +6,25 @@ settings:
 
 script:
   start {
 
 script:
   start {

-    echo "Serial 1: sleeping $(date -u)"
-    sleep 1
-    echo "Serial 1: slept    $(date -u)"
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+
+      echo "Serial 1: sleeping $(date -u)"
+      sleep 1
+      echo "Serial 1: slept    $(date -u)"
+    \}
+
+    main ${*}

   }
 
   stop {
   }
 
   stop {

-    echo "Serial 1: stopping, sleeping $(date -u)"
-    sleep 1
-    echo "Serial 1: stopping, slept    $(date -u)"
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+
+      echo "Serial 1: stopping, sleeping $(date -u)"
+      sleep 1
+      echo "Serial 1: stopping, slept    $(date -u)"
+    \}
+
+    main ${*}

   }
   }

diff --git a/data/data/controller/example/miscellaneous/rules/serial/s_2.rule b/data/data/controller/example/miscellaneous/rules/serial/s_2.rule
index 5496172566324cd5f7ed2187e880900d6a933887..afb7392e306db24ee2608bc646a8e12a191469df 100644 (file)
--- a/data/data/controller/example/miscellaneous/rules/serial/s_2.rule
+++ b/data/data/controller/example/miscellaneous/rules/serial/s_2.rule
@@ -7,13 +7,25 @@ settings:
 
 script:
   start {
 
 script:
   start {

-    echo "Serial 2: sleeping $(date -u)"
-    sleep 1
-    echo "Serial 2: slept    $(date -u)"
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+
+      echo "Serial 2: sleeping $(date -u)"
+      sleep 1
+      echo "Serial 2: slept    $(date -u)"
+    \}
+
+    main ${*}

   }
 
   stop {
   }
 
   stop {

-    echo "Serial 2: stopping, sleeping $(date -u)"
-    sleep 1
-    echo "Serial 2: stopping, slept    $(date -u)"
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+
+      echo "Serial 2: stopping, sleeping $(date -u)"
+      sleep 1
+      echo "Serial 2: stopping, slept    $(date -u)"
+    \}
+
+    main ${*}

   }
   }

diff --git a/data/data/controller/example/miscellaneous/rules/serial/s_3.rule b/data/data/controller/example/miscellaneous/rules/serial/s_3.rule
index fee1d889ff152f0f92dddd451b3ef9ae41a0c3bb..bc17f589d222ed8419a94d8274efa65b211fe1bf 100644 (file)
--- a/data/data/controller/example/miscellaneous/rules/serial/s_3.rule
+++ b/data/data/controller/example/miscellaneous/rules/serial/s_3.rule
@@ -7,13 +7,25 @@ settings:
 
 script:
   start {
 
 script:
   start {

-    echo "Serial 3: sleeping $(date -u)"
-    sleep 1
-    echo "Serial 3: slept    $(date -u)"
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+
+      echo "Serial 3: sleeping $(date -u)"
+      sleep 1
+      echo "Serial 3: slept    $(date -u)"
+    \}
+
+    main ${*}

   }
 
   stop {
   }
 
   stop {

-    echo "Serial 3: stopping, sleeping $(date -u)"
-    sleep 1
-    echo "Serial 3: stopping, slept    $(date -u)"
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+
+      echo "Serial 3: stopping, sleeping $(date -u)"
+      sleep 1
+      echo "Serial 3: stopping, slept    $(date -u)"
+    \}
+
+    main ${*}

   }
   }

diff --git a/data/data/controller/example/miscellaneous/rules/serial/s_4.rule b/data/data/controller/example/miscellaneous/rules/serial/s_4.rule
index ff7040f55d1b585be62968204a5e9b4f52f5683d..b144dcc8d8a8a86988af90af4213fec076e8b82d 100644 (file)
--- a/data/data/controller/example/miscellaneous/rules/serial/s_4.rule
+++ b/data/data/controller/example/miscellaneous/rules/serial/s_4.rule
@@ -7,13 +7,25 @@ settings:
 
 script:
   start {
 
 script:
   start {

-    echo "Serial 4: sleeping $(date -u)"
-    sleep 1
-    echo "Serial 4: slept    $(date -u)"
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+
+      echo "Serial 4: sleeping $(date -u)"
+      sleep 1
+      echo "Serial 4: slept    $(date -u)"
+    \}
+
+    main ${*}

   }
 
   stop {
   }
 
   stop {

-    echo "Serial 4: stopping, sleeping $(date -u)"
-    sleep 1
-    echo "Serial 4: stopping, slept    $(date -u)"
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+
+      echo "Serial 4: stopping, sleeping $(date -u)"
+      sleep 1
+      echo "Serial 4: stopping, slept    $(date -u)"
+    \}
+
+    main ${*}

   }
   }

diff --git a/data/data/controller/example/miscellaneous/rules/serial/s_5.rule b/data/data/controller/example/miscellaneous/rules/serial/s_5.rule
index 11c7c6cba5f90986d198a11cb3fcb3c4553a7f9e..60b4a3129da4313eea617fa75002075a7a593701 100644 (file)
--- a/data/data/controller/example/miscellaneous/rules/serial/s_5.rule
+++ b/data/data/controller/example/miscellaneous/rules/serial/s_5.rule
@@ -7,13 +7,25 @@ settings:
 
 script:
   start {
 
 script:
   start {

-    echo "Serial 5: sleeping $(date -u)"
-    sleep 1
-    echo "Serial 5: slept    $(date -u)"
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+
+      echo "Serial 5: sleeping $(date -u)"
+      sleep 1
+      echo "Serial 5: slept    $(date -u)"
+    \}
+
+    main ${*}

   }
 
   stop {
   }
 
   stop {

-    echo "Serial 5: stopping, sleeping $(date -u)"
-    sleep 1
-    echo "Serial 5: stopping, slept    $(date -u)"
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+
+      echo "Serial 5: stopping, sleeping $(date -u)"
+      sleep 1
+      echo "Serial 5: stopping, slept    $(date -u)"
+    \}
+
+    main ${*}

   }
   }

diff --git a/data/data/controller/example/miscellaneous/rules/serial/s_6.rule b/data/data/controller/example/miscellaneous/rules/serial/s_6.rule
index 4eba10d3cc861504060634c5844d8c59ed23319d..c6d971a98b8efc94abf8982e16b0deb02cbeb0c0 100644 (file)
--- a/data/data/controller/example/miscellaneous/rules/serial/s_6.rule
+++ b/data/data/controller/example/miscellaneous/rules/serial/s_6.rule
@@ -6,13 +6,25 @@ settings:
 
 script:
   start {
 
 script:
   start {

-    echo "Serial 6: sleeping $(date -u)"
-    sleep 1
-    echo "Serial 6: slept    $(date -u)"
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+
+      echo "Serial 6: sleeping $(date -u)"
+      sleep 1
+      echo "Serial 6: slept    $(date -u)"
+    \}
+
+    main ${*}

   }
 
   stop {
   }
 
   stop {

-    echo "Serial 6: stopping, sleeping $(date -u)"
-    sleep 1
-    echo "Serial 6: stopping, slept    $(date -u)"
+    main() {
+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+
+      echo "Serial 6: stopping, sleeping $(date -u)"
+      sleep 1
+      echo "Serial 6: stopping, slept    $(date -u)"
+    \}
+
+    main ${*}

   }
   }

diff --git a/data/data/controller/example/miscellaneous/rules/utility/sleeper_1.rule b/data/data/controller/example/miscellaneous/rules/utility/sleeper_1.rule
index 3a84e5f3b04b5afe124f94062ef7231e735d9971..3ac8048ee0542a711d660c1a4e33955c1013fc24 100644 (file)
--- a/data/data/controller/example/miscellaneous/rules/utility/sleeper_1.rule
+++ b/data/data/controller/example/miscellaneous/rules/utility/sleeper_1.rule
@@ -11,6 +11,8 @@ utility:
     \#!/bin/bash
 
     main() {
     \#!/bin/bash
 
     main() {

+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+

       if [[ -f /tmp/sleeper_1.pid ]] ; then
         echo "Failure: pid file '/tmp/sleeper_1.pid' already exists."
         return 1
       if [[ -f /tmp/sleeper_1.pid ]] ; then
         echo "Failure: pid file '/tmp/sleeper_1.pid' already exists."
         return 1


@@ -23,6 +25,7 @@ utility:
 
       echo "Sleeper 1, done sleeping."
       rm -f /tmp/sleeper_1.pid
 
       echo "Sleeper 1, done sleeping."
       rm -f /tmp/sleeper_1.pid

+

       return 0
     \}
 
       return 0
     \}
 

diff --git a/data/data/controller/example/miscellaneous/rules/utility/sleeper_2.rule b/data/data/controller/example/miscellaneous/rules/utility/sleeper_2.rule
index d44d33251b77e32fd90f1059b0f0c9482f7f94dd..89e8fec6dbb0192488abc34648c8b6006db62e10 100644 (file)
--- a/data/data/controller/example/miscellaneous/rules/utility/sleeper_2.rule
+++ b/data/data/controller/example/miscellaneous/rules/utility/sleeper_2.rule
@@ -11,6 +11,8 @@ utility:
     \#!/bin/bash
 
     main() {
     \#!/bin/bash
 
     main() {

+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+

       if [[ -f /tmp/sleeper_2.pid ]] ; then
         echo "Failure: pid file '/tmp/sleeper_2.pid' already exists."
         return 1
       if [[ -f /tmp/sleeper_2.pid ]] ; then
         echo "Failure: pid file '/tmp/sleeper_2.pid' already exists."
         return 1


@@ -23,6 +25,7 @@ utility:
 
       echo "Sleeper 2, done sleeping."
       rm -f /tmp/sleeper_2.pid
 
       echo "Sleeper 2, done sleeping."
       rm -f /tmp/sleeper_2.pid

+

       return 0
     \}
 
       return 0
     \}
 

diff --git a/data/data/controller/example/miscellaneous/rules/utility/sleeper_3.rule b/data/data/controller/example/miscellaneous/rules/utility/sleeper_3.rule
index 04c8900f23868d4b740af82d85eeda3b34091c98..adf0ca8c652733ffc0546f9c5f56567ac8a82ea4 100644 (file)
--- a/data/data/controller/example/miscellaneous/rules/utility/sleeper_3.rule
+++ b/data/data/controller/example/miscellaneous/rules/utility/sleeper_3.rule
@@ -11,6 +11,8 @@ utility:
     \#!/bin/bash
 
     main() {
     \#!/bin/bash
 
     main() {

+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+

       if [[ -f /tmp/sleeper_3.1.pid ]] ; then
         echo "Failure: pid file '/tmp/sleeper_3.1.pid' already exists."
         return 1
       if [[ -f /tmp/sleeper_3.1.pid ]] ; then
         echo "Failure: pid file '/tmp/sleeper_3.1.pid' already exists."
         return 1


@@ -23,10 +25,11 @@ utility:
 
       echo "Sleeper 3.1, done sleeping."
       rm -f /tmp/sleeper_3.1.pid
 
       echo "Sleeper 3.1, done sleeping."
       rm -f /tmp/sleeper_3.1.pid

+

       return 0
     \}
 
       return 0
     \}
 

-    main &
+    main ${*} &

   }
 
 utility:
   }
 
 utility:


@@ -35,6 +38,8 @@ utility:
     \#!/bin/bash
 
     main() {
     \#!/bin/bash
 
     main() {

+      local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
+

       if [[ -f /tmp/sleeper_3.2.pid ]] ; then
         echo "Failure: pid file '/tmp/sleeper_3.2.pid' already exists."
         return 1
       if [[ -f /tmp/sleeper_3.2.pid ]] ; then
         echo "Failure: pid file '/tmp/sleeper_3.2.pid' already exists."
         return 1


@@ -47,8 +52,9 @@ utility:
 
       echo "Sleeper 3.2, done sleeping."
       rm -f /tmp/sleeper_3.2.pid
 
       echo "Sleeper 3.2, done sleeping."
       rm -f /tmp/sleeper_3.2.pid

+

       return 0
     \}
 
       return 0
     \}
 

-    main &
+    main ${*} &

   }
   }

diff --git a/install.sh b/install.sh
index c8972d1ebc6c7a806426bc97ec09f215724c4eae..fb971b524f4dbb66913ed1d71cc6e0775e3c80ed 100755 (executable)
--- a/install.sh
+++ b/install.sh
@@ -14,6 +14,7 @@
 #
 
 install_main() {
 #
 
 install_main() {

+  local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.

 
   if [[ ${SHELL_ENGINE} == "zsh" ]] ; then
     emulate ksh
 
   if [[ ${SHELL_ENGINE} == "zsh" ]] ; then
     emulate ksh


@@ -877,4 +878,4 @@ install_cleanup() {
   unset install_cleanup
 }
 
   unset install_cleanup
 }
 

-install_main $*
+install_main ${*}