Permalink
Browse files

Fix information leak through TCL variables. Fixes #137. Fixes #414

Found by: maimizuno
Patch by: michaelortmann
  • Loading branch information...
michaelortmann authored and vanosg committed Oct 12, 2018
1 parent 0b50cc2 commit bfa5f60ad827544933b9f4c5d72d56834739b530
Showing with 34 additions and 11 deletions.
  1. +34 −11 src/tclhash.c
View
@@ -817,6 +817,7 @@ int check_tcl_bind(tcl_bind_list_t *tl, const char *match,
char *proc = NULL, *mask = NULL;
tcl_bind_mask_t *tm, *tm_last = NULL, *tm_p = NULL;
tcl_cmd_t *tc, *htc = NULL;
char *str, *varName, *brkt;
for (tm = tl->first; tm && !finish; tm_last = tm, tm = tm->next) {
@@ -873,7 +874,7 @@ int check_tcl_bind(tcl_bind_list_t *tl, const char *match,
if (match_type & BIND_ALTER_ARGS) {
if (tcl_resultempty())
return x;
goto finally;
} else if ((match_type & BIND_STACKRET) && x == BIND_EXEC_LOG) {
/* If we have multiple commands/triggers, and if any of the
* commands return 1, we store the result so we can return it
@@ -884,30 +885,38 @@ int check_tcl_bind(tcl_bind_list_t *tl, const char *match,
continue;
} else if ((match_type & BIND_WANTRET) && x == BIND_EXEC_LOG)
/* Return immediately if any commands return 1 */
return x;
goto finally;
}
}
}
}
if (!cnt)
return BIND_NOMATCH;
if (!cnt) {
x = BIND_NOMATCH;
goto finally;
}
/* Do this before updating the preferred entries information,
* since we don't want to change the order of stacked binds
*/
if (result) /* BIND_STACKRET */
return result;
if (result) { /* BIND_STACKRET */
x = result;
goto finally;
}
if ((match_type & 0x07) == MATCH_MASK || (match_type & 0x07) == MATCH_CASE)
return BIND_EXECUTED;
if ((match_type & 0x07) == MATCH_MASK || (match_type & 0x07) == MATCH_CASE) {
x = BIND_EXECUTED;
goto finally;
}
/* Hit counter */
if (htc)
htc->hits++;
if (cnt > 1)
return BIND_AMBIGUOUS;
if (cnt > 1) {
x = BIND_AMBIGUOUS;
goto finally;
}
/* Now that we have found exactly one bind, we can update the
* preferred entries information.
@@ -923,7 +932,21 @@ int check_tcl_bind(tcl_bind_list_t *tl, const char *match,
tl->first = tm;
}
return trigger_bind(proc, param, mask);
x = trigger_bind(proc, param, mask);
finally:
str = nmalloc(strlen(param) + 1);
strcpy(str, param);
for (varName = strtok_r(str, " $:", &brkt);
varName;
varName = strtok_r(NULL, " $:", &brkt))
{
Tcl_UnsetVar(interp, varName, 0);
}
nfree(str);
return x;
}

0 comments on commit bfa5f60

Please sign in to comment.