From dfb448307108e799fb007c031bea29a375b3763f Mon Sep 17 00:00:00 2001 From: Kareem Date: Tue, 16 Jun 2026 16:51:18 -0700 Subject: [PATCH] Prevent command injection in includedir/libdir in configure.ac. Thanks to NVIDIA Project Vanessa for the report. --- configure.ac | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/configure.ac b/configure.ac index 2a58545fcc..f9432b4b67 100644 --- a/configure.ac +++ b/configure.ac @@ -12489,6 +12489,16 @@ if test "x$WOLFSSL_EXEC_PREFIX_ABS" = "xNONE"; then fi prefix=$WOLFSSL_PREFIX_ABS exec_prefix=$WOLFSSL_EXEC_PREFIX_ABS +# The eval calls below expand ${prefix}/${exec_prefix} references embedded in +# the libdir/includedir values. eval would, however, also execute any shell +# command substitution contained in a --libdir/--includedir value (e.g. +# --libdir='$(cmd)/lib'), running arbitrary commands during configure. +# Reject values that contain command substitution before the eval. +case "$libdir $includedir" in + *'`'* | *'$('*) + AC_MSG_ERROR([--libdir and --includedir must not contain shell command substitution]) + ;; +esac eval WOLFSSL_LIBDIR_ABS=\"$libdir\" eval WOLFSSL_INCLUDEDIR_ABS=\"$includedir\" AC_SUBST([WOLFSSL_PREFIX_ABS])