From 77ae6509da9365e02ac84f193ffa90245fe66e9e Mon Sep 17 00:00:00 2001
From: Martijn Dekker <martijn@inlv.org>
Date: Tue, 23 Jan 2024 01:25:05 +0000
Subject: [PATCH] [v1.1] Do not import SRANDOM upper bound from env (re:
 00b296cd)

If SRANDOM was exported to the environment, a child ksh was
dutifully importing it, setting the imported value as an upper
bound. This is very undesirable and may well be a vulnerability,
depending on the script.

src/cmd/ksh93/sh/init.c: put_srand():
- Refuse to set the upper bound if the SH_INIT state is on, which
  is the case while importing the environment at init time.
---
 src/cmd/ksh93/sh/init.c          | 2 ++
 src/cmd/ksh93/tests/variables.sh | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/src/cmd/ksh93/sh/init.c b/src/cmd/ksh93/sh/init.c
index 445c6087df8a..05aaa0dfd9fa 100644
--- a/src/cmd/ksh93/sh/init.c
+++ b/src/cmd/ksh93/sh/init.c
@@ -737,6 +737,8 @@ static void put_srand(Namval_t* np,const char *val,int flags,Namfun_t *fp)
 		_nv_unset(np,NV_RDONLY);
 		return;
 	}
+	if(sh_isstate(SH_INIT))
+		return;
 	if(flags&NV_INTEGER)
 		srand_upper_bound = *(Sfdouble_t*)val;
 	else
diff --git a/src/cmd/ksh93/tests/variables.sh b/src/cmd/ksh93/tests/variables.sh
index c0250102eb4d..306c239b21f1 100755
--- a/src/cmd/ksh93/tests/variables.sh
+++ b/src/cmd/ksh93/tests/variables.sh
@@ -1639,6 +1639,14 @@ do	if	let "got = SRANDOM, got >= bound"
 		break
 	fi
 done
+env "SRANDOM=$bound" "$SHELL" -c 'typeset -i i
+	for ((i=0; i<100; i++))
+	do	print $SRANDOM
+	done' |
+while	read i
+do	((got = i>=bound)) && break
+done
+((got)) || err_exit "SRANDOM upper bound inherited from environment"
 unset i got bound
 SRANDOM=0