+++ /dev/null
-Update bash to patchlevel 25.
-It's basically a single patch made out from
-http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/ (bash43-001 to 025).
-Fixes CVE-2014-6271:
-Under certain circumstances, bash will execute user code while processing the
-environment for exported function definitions.
-
-Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
-
-diff -Nura bash-4.3.orig/arrayfunc.c bash-4.3/arrayfunc.c
---- bash-4.3.orig/arrayfunc.c 2014-09-24 14:45:32.573985743 -0300
-+++ bash-4.3/arrayfunc.c 2014-09-24 14:45:48.858540124 -0300
-@@ -179,6 +179,7 @@
- array_insert (array_cell (entry), ind, newval);
- FREE (newval);
-
-+ VUNSETATTR (entry, att_invisible); /* no longer invisible */
- return (entry);
- }
-
-@@ -597,6 +598,11 @@
- if (assoc_p (var))
- {
- val = expand_assignment_string_to_string (val, 0);
-+ if (val == 0)
-+ {
-+ val = (char *)xmalloc (1);
-+ val[0] = '\0'; /* like do_assignment_internal */
-+ }
- free_val = 1;
- }
-
-diff -Nura bash-4.3.orig/bashline.c bash-4.3/bashline.c
---- bash-4.3.orig/bashline.c 2014-09-24 14:45:32.574985778 -0300
-+++ bash-4.3/bashline.c 2014-09-24 14:45:48.851539885 -0300
-@@ -4167,9 +4167,16 @@
- int qc;
-
- qc = rl_dispatching ? rl_completion_quote_character : 0;
-- dfn = bash_dequote_filename ((char *)text, qc);
-+ /* If rl_completion_found_quote != 0, rl_completion_matches will call the
-+ filename dequoting function, causing the directory name to be dequoted
-+ twice. */
-+ if (rl_dispatching && rl_completion_found_quote == 0)
-+ dfn = bash_dequote_filename ((char *)text, qc);
-+ else
-+ dfn = (char *)text;
- m1 = rl_completion_matches (dfn, rl_filename_completion_function);
-- free (dfn);
-+ if (dfn != text)
-+ free (dfn);
-
- if (m1 == 0 || m1[0] == 0)
- return m1;
-diff -Nura bash-4.3.orig/builtins/common.h bash-4.3/builtins/common.h
---- bash-4.3.orig/builtins/common.h 2014-09-24 14:45:32.630987683 -0300
-+++ bash-4.3/builtins/common.h 2014-09-24 14:45:48.878540805 -0300
-@@ -33,6 +33,8 @@
- #define SEVAL_RESETLINE 0x010
- #define SEVAL_PARSEONLY 0x020
- #define SEVAL_NOLONGJMP 0x040
-+#define SEVAL_FUNCDEF 0x080 /* only allow function definitions */
-+#define SEVAL_ONECMD 0x100 /* only allow a single command */
-
- /* Flags for describe_command, shared between type.def and command.def */
- #define CDESC_ALL 0x001 /* type -a */
-diff -Nura bash-4.3.orig/builtins/evalstring.c bash-4.3/builtins/evalstring.c
---- bash-4.3.orig/builtins/evalstring.c 2014-09-24 14:45:32.631987717 -0300
-+++ bash-4.3/builtins/evalstring.c 2014-09-24 14:45:48.879540839 -0300
-@@ -308,6 +308,14 @@
- {
- struct fd_bitmap *bitmap;
-
-+ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
-+ {
-+ internal_warning ("%s: ignoring function definition attempt", from_file);
-+ should_jump_to_top_level = 0;
-+ last_result = last_command_exit_value = EX_BADUSAGE;
-+ break;
-+ }
-+
- bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
- begin_unwind_frame ("pe_dispose");
- add_unwind_protect (dispose_fd_bitmap, bitmap);
-@@ -368,6 +376,9 @@
- dispose_command (command);
- dispose_fd_bitmap (bitmap);
- discard_unwind_frame ("pe_dispose");
-+
-+ if (flags & SEVAL_ONECMD)
-+ break;
- }
- }
- else
-diff -Nura bash-4.3.orig/builtins/read.def bash-4.3/builtins/read.def
---- bash-4.3.orig/builtins/read.def 2014-09-24 14:45:32.631987717 -0300
-+++ bash-4.3/builtins/read.def 2014-09-24 14:45:48.860540192 -0300
-@@ -442,7 +442,10 @@
- add_unwind_protect (reset_alarm, (char *)NULL);
- #if defined (READLINE)
- if (edit)
-- add_unwind_protect (reset_attempted_completion_function, (char *)NULL);
-+ {
-+ add_unwind_protect (reset_attempted_completion_function, (char *)NULL);
-+ add_unwind_protect (bashline_reset_event_hook, (char *)NULL);
-+ }
- #endif
- falarm (tmsec, tmusec);
- }
-@@ -1021,6 +1024,7 @@
-
- old_attempted_completion_function = rl_attempted_completion_function;
- rl_attempted_completion_function = (rl_completion_func_t *)NULL;
-+ bashline_set_event_hook ();
- if (itext)
- {
- old_startup_hook = rl_startup_hook;
-@@ -1032,6 +1036,7 @@
-
- rl_attempted_completion_function = old_attempted_completion_function;
- old_attempted_completion_function = (rl_completion_func_t *)NULL;
-+ bashline_reset_event_hook ();
-
- if (ret == 0)
- return ret;
-diff -Nura bash-4.3.orig/execute_cmd.c bash-4.3/execute_cmd.c
---- bash-4.3.orig/execute_cmd.c 2014-09-24 14:45:32.573985743 -0300
-+++ bash-4.3/execute_cmd.c 2014-09-24 14:45:48.870540532 -0300
-@@ -2409,7 +2409,16 @@
- #endif
- lstdin = wait_for (lastpid);
- #if defined (JOB_CONTROL)
-- exec_result = job_exit_status (lastpipe_jid);
-+ /* If wait_for removes the job from the jobs table, use result of last
-+ command as pipeline's exit status as usual. The jobs list can get
-+ frozen and unfrozen at inconvenient times if there are multiple pipelines
-+ running simultaneously. */
-+ if (INVALID_JOB (lastpipe_jid) == 0)
-+ exec_result = job_exit_status (lastpipe_jid);
-+ else if (pipefail_opt)
-+ exec_result = exec_result | lstdin; /* XXX */
-+ /* otherwise we use exec_result */
-+
- #endif
- unfreeze_jobs_list ();
- }
-diff -Nura bash-4.3.orig/externs.h bash-4.3/externs.h
---- bash-4.3.orig/externs.h 2014-09-24 14:45:32.573985743 -0300
-+++ bash-4.3/externs.h 2014-09-24 14:45:48.837539409 -0300
-@@ -324,6 +324,7 @@
- extern char *sh_backslash_quote __P((char *, const char *, int));
- extern char *sh_backslash_quote_for_double_quotes __P((char *));
- extern int sh_contains_shell_metas __P((char *));
-+extern int sh_contains_quotes __P((char *));
-
- /* declarations for functions defined in lib/sh/spell.c */
- extern int spname __P((char *, char *));
-diff -Nura bash-4.3.orig/jobs.c bash-4.3/jobs.c
---- bash-4.3.orig/jobs.c 2014-09-24 14:45:32.639987989 -0300
-+++ bash-4.3/jobs.c 2014-09-24 14:45:48.843539613 -0300
-@@ -3597,6 +3597,7 @@
- unwind_protect_int (jobs_list_frozen);
- unwind_protect_pointer (the_pipeline);
- unwind_protect_pointer (subst_assign_varlist);
-+ unwind_protect_pointer (this_shell_builtin);
-
- /* We have to add the commands this way because they will be run
- in reverse order of adding. We don't want maybe_set_sigchld_trap ()
-@@ -4374,7 +4375,7 @@
- void
- end_job_control ()
- {
-- if (interactive_shell) /* XXX - should it be interactive? */
-+ if (interactive_shell || job_control) /* XXX - should it be just job_control? */
- {
- terminate_stopped_jobs ();
-
-diff -Nura bash-4.3.orig/lib/glob/glob.c bash-4.3/lib/glob/glob.c
---- bash-4.3.orig/lib/glob/glob.c 2014-09-24 14:45:32.652988432 -0300
-+++ bash-4.3/lib/glob/glob.c 2014-09-24 14:45:48.853539954 -0300
-@@ -123,6 +123,8 @@
- extern char *glob_patscan __P((char *, char *, int));
- extern wchar_t *glob_patscan_wc __P((wchar_t *, wchar_t *, int));
-
-+extern char *glob_dirscan __P((char *, int));
-+
- /* Compile `glob_loop.c' for single-byte characters. */
- #define CHAR unsigned char
- #define INT int
-@@ -179,42 +181,53 @@
- char *pat, *dname;
- int flags;
- {
-- char *pp, *pe, *t;
-- int n, r;
-+ char *pp, *pe, *t, *se;
-+ int n, r, negate;
-
-+ negate = *pat == '!';
- pp = pat + 2;
-- pe = pp + strlen (pp) - 1; /*(*/
-- if (*pe != ')')
-+ se = pp + strlen (pp) - 1; /* end of string */
-+ pe = glob_patscan (pp, se, 0); /* end of extglob pattern (( */
-+ /* we should check for invalid extglob pattern here */
-+ if (pe == 0)
- return 0;
-- if ((t = strchr (pp, '|')) == 0) /* easy case first */
-+
-+ /* if pe != se we have more of the pattern at the end of the extglob
-+ pattern. Check the easy case first ( */
-+ if (pe == se && *pe == ')' && (t = strchr (pp, '|')) == 0)
- {
- *pe = '\0';
-+#if defined (HANDLE_MULTIBYTE)
-+ r = mbskipname (pp, dname, flags);
-+#else
- r = skipname (pp, dname, flags); /*(*/
-+#endif
- *pe = ')';
- return r;
- }
-+
-+ /* check every subpattern */
- while (t = glob_patscan (pp, pe, '|'))
- {
- n = t[-1];
- t[-1] = '\0';
-+#if defined (HANDLE_MULTIBYTE)
-+ r = mbskipname (pp, dname, flags);
-+#else
- r = skipname (pp, dname, flags);
-+#endif
- t[-1] = n;
- if (r == 0) /* if any pattern says not skip, we don't skip */
- return r;
- pp = t;
- } /*(*/
-
-- if (pp == pe) /* glob_patscan might find end of pattern */
-+ /* glob_patscan might find end of pattern */
-+ if (pp == se)
- return r;
-
-- *pe = '\0';
--# if defined (HANDLE_MULTIBYTE)
-- r = mbskipname (pp, dname, flags); /*(*/
--# else
-- r = skipname (pp, dname, flags); /*(*/
--# endif
-- *pe = ')';
-- return r;
-+ /* but if it doesn't then we didn't match a leading dot */
-+ return 0;
- }
- #endif
-
-@@ -277,20 +290,23 @@
- int flags;
- {
- #if EXTENDED_GLOB
-- wchar_t *pp, *pe, *t, n;
-- int r;
-+ wchar_t *pp, *pe, *t, n, *se;
-+ int r, negate;
-
-+ negate = *pat == L'!';
- pp = pat + 2;
-- pe = pp + wcslen (pp) - 1; /*(*/
-- if (*pe != L')')
-- return 0;
-- if ((t = wcschr (pp, L'|')) == 0)
-+ se = pp + wcslen (pp) - 1; /*(*/
-+ pe = glob_patscan_wc (pp, se, 0);
-+
-+ if (pe == se && *pe == ')' && (t = wcschr (pp, L'|')) == 0)
- {
- *pe = L'\0';
- r = wchkname (pp, dname); /*(*/
- *pe = L')';
- return r;
- }
-+
-+ /* check every subpattern */
- while (t = glob_patscan_wc (pp, pe, '|'))
- {
- n = t[-1];
-@@ -305,10 +321,8 @@
- if (pp == pe) /* glob_patscan_wc might find end of pattern */
- return r;
-
-- *pe = L'\0';
-- r = wchkname (pp, dname); /*(*/
-- *pe = L')';
-- return r;
-+ /* but if it doesn't then we didn't match a leading dot */
-+ return 0;
- #else
- return (wchkname (pat, dname));
- #endif
-@@ -1006,7 +1020,7 @@
- {
- char **result;
- unsigned int result_size;
-- char *directory_name, *filename, *dname;
-+ char *directory_name, *filename, *dname, *fn;
- unsigned int directory_len;
- int free_dirname; /* flag */
- int dflags;
-@@ -1022,6 +1036,18 @@
-
- /* Find the filename. */
- filename = strrchr (pathname, '/');
-+#if defined (EXTENDED_GLOB)
-+ if (filename && extended_glob)
-+ {
-+ fn = glob_dirscan (pathname, '/');
-+#if DEBUG_MATCHING
-+ if (fn != filename)
-+ fprintf (stderr, "glob_filename: glob_dirscan: fn (%s) != filename (%s)\n", fn ? fn : "(null)", filename);
-+#endif
-+ filename = fn;
-+ }
-+#endif
-+
- if (filename == NULL)
- {
- filename = pathname;
-diff -Nura bash-4.3.orig/lib/glob/gmisc.c bash-4.3/lib/glob/gmisc.c
---- bash-4.3.orig/lib/glob/gmisc.c 2014-09-24 14:45:32.652988432 -0300
-+++ bash-4.3/lib/glob/gmisc.c 2014-09-24 14:45:48.854539988 -0300
-@@ -42,6 +42,8 @@
- #define WLPAREN L'('
- #define WRPAREN L')'
-
-+extern char *glob_patscan __P((char *, char *, int));
-+
- /* Return 1 of the first character of WSTRING could match the first
- character of pattern WPAT. Wide character version. */
- int
-@@ -210,6 +212,7 @@
- case '+':
- case '!':
- case '@':
-+ case '?':
- return (pat[1] == LPAREN);
- default:
- return 0;
-@@ -374,3 +377,34 @@
-
- return matlen;
- }
-+
-+/* Skip characters in PAT and return the final occurrence of DIRSEP. This
-+ is only called when extended_glob is set, so we have to skip over extglob
-+ patterns x(...) */
-+char *
-+glob_dirscan (pat, dirsep)
-+ char *pat;
-+ int dirsep;
-+{
-+ char *p, *d, *pe, *se;
-+
-+ d = pe = se = 0;
-+ for (p = pat; p && *p; p++)
-+ {
-+ if (extglob_pattern_p (p))
-+ {
-+ if (se == 0)
-+ se = p + strlen (p) - 1;
-+ pe = glob_patscan (p + 2, se, 0);
-+ if (pe == 0)
-+ continue;
-+ else if (*pe == 0)
-+ break;
-+ p = pe - 1; /* will do increment above */
-+ continue;
-+ }
-+ if (*p == dirsep)
-+ d = p;
-+ }
-+ return d;
-+}
-diff -Nura bash-4.3.orig/lib/readline/display.c bash-4.3/lib/readline/display.c
---- bash-4.3.orig/lib/readline/display.c 2014-09-24 14:45:32.652988432 -0300
-+++ bash-4.3/lib/readline/display.c 2014-09-24 14:45:48.845539681 -0300
-@@ -1637,7 +1637,7 @@
- /* If we are changing the number of invisible characters in a line, and
- the spot of first difference is before the end of the invisible chars,
- lendiff needs to be adjusted. */
-- if (current_line == 0 && !_rl_horizontal_scroll_mode &&
-+ if (current_line == 0 && /* !_rl_horizontal_scroll_mode && */
- current_invis_chars != visible_wrap_offset)
- {
- if (MB_CUR_MAX > 1 && rl_byte_oriented == 0)
-@@ -1825,8 +1825,13 @@
- else
- _rl_last_c_pos += bytes_to_insert;
-
-+ /* XXX - we only want to do this if we are at the end of the line
-+ so we move there with _rl_move_cursor_relative */
- if (_rl_horizontal_scroll_mode && ((oe-old) > (ne-new)))
-- goto clear_rest_of_line;
-+ {
-+ _rl_move_cursor_relative (ne-new, new);
-+ goto clear_rest_of_line;
-+ }
- }
- }
- /* Otherwise, print over the existing material. */
-@@ -2677,7 +2682,8 @@
- {
- if (_rl_echoing_p)
- {
-- _rl_move_vert (_rl_vis_botlin);
-+ if (_rl_vis_botlin > 0) /* minor optimization plus bug fix */
-+ _rl_move_vert (_rl_vis_botlin);
- _rl_vis_botlin = 0;
- fflush (rl_outstream);
- rl_restart_output (1, 0);
-diff -Nura bash-4.3.orig/lib/readline/input.c bash-4.3/lib/readline/input.c
---- bash-4.3.orig/lib/readline/input.c 2014-09-24 14:45:32.651988398 -0300
-+++ bash-4.3/lib/readline/input.c 2014-09-24 14:45:48.860540192 -0300
-@@ -534,8 +534,16 @@
- return (RL_ISSTATE (RL_STATE_READCMD) ? READERR : EOF);
- else if (_rl_caught_signal == SIGHUP || _rl_caught_signal == SIGTERM)
- return (RL_ISSTATE (RL_STATE_READCMD) ? READERR : EOF);
-+ /* keyboard-generated signals of interest */
- else if (_rl_caught_signal == SIGINT || _rl_caught_signal == SIGQUIT)
- RL_CHECK_SIGNALS ();
-+ /* non-keyboard-generated signals of interest */
-+ else if (_rl_caught_signal == SIGALRM
-+#if defined (SIGVTALRM)
-+ || _rl_caught_signal == SIGVTALRM
-+#endif
-+ )
-+ RL_CHECK_SIGNALS ();
-
- if (rl_signal_event_hook)
- (*rl_signal_event_hook) ();
-diff -Nura bash-4.3.orig/lib/readline/misc.c bash-4.3/lib/readline/misc.c
---- bash-4.3.orig/lib/readline/misc.c 2014-09-24 14:45:32.652988432 -0300
-+++ bash-4.3/lib/readline/misc.c 2014-09-24 14:45:48.867540430 -0300
-@@ -461,6 +461,7 @@
- saved_undo_list = 0;
- /* Set up rl_line_buffer and other variables from history entry */
- rl_replace_from_history (entry, 0); /* entry->line is now current */
-+ entry->data = 0; /* entry->data is now current undo list */
- /* Undo all changes to this history entry */
- while (rl_undo_list)
- rl_do_undo ();
-@@ -468,7 +469,6 @@
- the timestamp. */
- FREE (entry->line);
- entry->line = savestring (rl_line_buffer);
-- entry->data = 0;
- }
- entry = previous_history ();
- }
-diff -Nura bash-4.3.orig/lib/readline/readline.c bash-4.3/lib/readline/readline.c
---- bash-4.3.orig/lib/readline/readline.c 2014-09-24 14:45:32.652988432 -0300
-+++ bash-4.3/lib/readline/readline.c 2014-09-24 14:45:48.819538797 -0300
-@@ -744,7 +744,8 @@
- r = _rl_subseq_result (r, cxt->oldmap, cxt->okey, (cxt->flags & KSEQ_SUBSEQ));
-
- RL_CHECK_SIGNALS ();
-- if (r == 0) /* success! */
-+ /* We only treat values < 0 specially to simulate recursion. */
-+ if (r >= 0 || (r == -1 && (cxt->flags & KSEQ_SUBSEQ) == 0)) /* success! or failure! */
- {
- _rl_keyseq_chain_dispose ();
- RL_UNSETSTATE (RL_STATE_MULTIKEY);
-@@ -964,7 +965,7 @@
- #if defined (VI_MODE)
- if (rl_editing_mode == vi_mode && _rl_keymap == vi_movement_keymap &&
- key != ANYOTHERKEY &&
-- rl_key_sequence_length == 1 && /* XXX */
-+ _rl_dispatching_keymap == vi_movement_keymap &&
- _rl_vi_textmod_command (key))
- _rl_vi_set_last (key, rl_numeric_arg, rl_arg_sign);
- #endif
-diff -Nura bash-4.3.orig/lib/sh/shquote.c bash-4.3/lib/sh/shquote.c
---- bash-4.3.orig/lib/sh/shquote.c 2014-09-24 14:45:32.654988500 -0300
-+++ bash-4.3/lib/sh/shquote.c 2014-09-24 14:45:48.837539409 -0300
-@@ -311,3 +311,17 @@
-
- return (0);
- }
-+
-+int
-+sh_contains_quotes (string)
-+ char *string;
-+{
-+ char *s;
-+
-+ for (s = string; s && *s; s++)
-+ {
-+ if (*s == '\'' || *s == '"' || *s == '\\')
-+ return 1;
-+ }
-+ return 0;
-+}
-diff -Nura bash-4.3.orig/parse.y bash-4.3/parse.y
---- bash-4.3.orig/parse.y 2014-09-24 14:45:32.650988364 -0300
-+++ bash-4.3/parse.y 2014-09-24 14:45:48.863540294 -0300
-@@ -2424,7 +2424,7 @@
- not already end in an EOF character. */
- if (shell_input_line_terminator != EOF)
- {
-- if (shell_input_line_size < SIZE_MAX && shell_input_line_len > shell_input_line_size - 3)
-+ if (shell_input_line_size < SIZE_MAX-3 && (shell_input_line_len+3 > shell_input_line_size))
- shell_input_line = (char *)xrealloc (shell_input_line,
- 1 + (shell_input_line_size += 2));
-
-@@ -2642,7 +2642,7 @@
- int r;
-
- r = 0;
-- while (need_here_doc)
-+ while (need_here_doc > 0)
- {
- parser_state |= PST_HEREDOC;
- make_here_document (redir_stack[r++], line_number);
-@@ -3398,7 +3398,7 @@
- within a double-quoted ${...} construct "an even number of
- unescaped double-quotes or single-quotes, if any, shall occur." */
- /* This was changed in Austin Group Interp 221 */
-- if MBTEST(posixly_correct && shell_compatibility_level > 41 && dolbrace_state != DOLBRACE_QUOTE && (flags & P_DQUOTE) && (flags & P_DOLBRACE) && ch == '\'')
-+ if MBTEST(posixly_correct && shell_compatibility_level > 41 && dolbrace_state != DOLBRACE_QUOTE && dolbrace_state != DOLBRACE_QUOTE2 && (flags & P_DQUOTE) && (flags & P_DOLBRACE) && ch == '\'')
- continue;
-
- /* Could also check open == '`' if we want to parse grouping constructs
-@@ -6075,6 +6075,7 @@
-
- ps->expand_aliases = expand_aliases;
- ps->echo_input_at_read = echo_input_at_read;
-+ ps->need_here_doc = need_here_doc;
-
- ps->token = token;
- ps->token_buffer_size = token_buffer_size;
-@@ -6123,6 +6124,7 @@
-
- expand_aliases = ps->expand_aliases;
- echo_input_at_read = ps->echo_input_at_read;
-+ need_here_doc = ps->need_here_doc;
-
- FREE (token);
- token = ps->token;
-diff -Nura bash-4.3.orig/patchlevel.h bash-4.3/patchlevel.h
---- bash-4.3.orig/patchlevel.h 2014-09-24 14:45:32.639987989 -0300
-+++ bash-4.3/patchlevel.h 2014-09-24 14:45:48.883540975 -0300
-@@ -25,6 +25,6 @@
- regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh
- looks for to find the patch level (for the sccs version string). */
-
--#define PATCHLEVEL 0
-+#define PATCHLEVEL 25
-
- #endif /* _PATCHLEVEL_H_ */
-diff -Nura bash-4.3.orig/pcomplete.c bash-4.3/pcomplete.c
---- bash-4.3.orig/pcomplete.c 2014-09-24 14:45:32.637987921 -0300
-+++ bash-4.3/pcomplete.c 2014-09-24 14:45:48.838539443 -0300
-@@ -183,6 +183,7 @@
-
- COMPSPEC *pcomp_curcs;
- const char *pcomp_curcmd;
-+const char *pcomp_curtxt;
-
- #ifdef DEBUG
- /* Debugging code */
-@@ -753,6 +754,32 @@
- quoted strings. */
- dfn = (*rl_filename_dequoting_function) ((char *)text, rl_completion_quote_character);
- }
-+ /* Intended to solve a mismatched assumption by bash-completion. If
-+ the text to be completed is empty, but bash-completion turns it into
-+ a quoted string ('') assuming that this code will dequote it before
-+ calling readline, do the dequoting. */
-+ else if (iscompgen && iscompleting &&
-+ pcomp_curtxt && *pcomp_curtxt == 0 &&
-+ text && (*text == '\'' || *text == '"') && text[1] == text[0] && text[2] == 0 &&
-+ rl_filename_dequoting_function)
-+ dfn = (*rl_filename_dequoting_function) ((char *)text, rl_completion_quote_character);
-+ /* Another mismatched assumption by bash-completion. If compgen is being
-+ run as part of bash-completion, and the argument to compgen is not
-+ the same as the word originally passed to the programmable completion
-+ code, dequote the argument if it has quote characters. It's an
-+ attempt to detect when bash-completion is quoting its filename
-+ argument before calling compgen. */
-+ /* We could check whether gen_shell_function_matches is in the call
-+ stack by checking whether the gen-shell-function-matches tag is in
-+ the unwind-protect stack, but there's no function to do that yet.
-+ We could simply check whether we're executing in a function by
-+ checking variable_context, and may end up doing that. */
-+ else if (iscompgen && iscompleting && rl_filename_dequoting_function &&
-+ pcomp_curtxt && text &&
-+ STREQ (pcomp_curtxt, text) == 0 &&
-+ variable_context &&
-+ sh_contains_quotes (text)) /* guess */
-+ dfn = (*rl_filename_dequoting_function) ((char *)text, rl_completion_quote_character);
- else
- dfn = savestring (text);
- }
-@@ -1522,7 +1549,7 @@
- COMPSPEC **lastcs;
- {
- COMPSPEC *cs, *oldcs;
-- const char *oldcmd;
-+ const char *oldcmd, *oldtxt;
- STRINGLIST *ret;
-
- cs = progcomp_search (ocmd);
-@@ -1545,14 +1572,17 @@
-
- oldcs = pcomp_curcs;
- oldcmd = pcomp_curcmd;
-+ oldtxt = pcomp_curtxt;
-
- pcomp_curcs = cs;
- pcomp_curcmd = cmd;
-+ pcomp_curtxt = word;
-
- ret = gen_compspec_completions (cs, cmd, word, start, end, foundp);
-
- pcomp_curcs = oldcs;
- pcomp_curcmd = oldcmd;
-+ pcomp_curtxt = oldtxt;
-
- /* We need to conditionally handle setting *retryp here */
- if (retryp)
-diff -Nura bash-4.3.orig/shell.h bash-4.3/shell.h
---- bash-4.3.orig/shell.h 2014-09-24 14:45:32.573985743 -0300
-+++ bash-4.3/shell.h 2014-09-24 14:45:48.862540260 -0300
-@@ -168,7 +168,8 @@
- /* flags state affecting the parser */
- int expand_aliases;
- int echo_input_at_read;
--
-+ int need_here_doc;
-+
- } sh_parser_state_t;
-
- typedef struct _sh_input_line_state_t {
-diff -Nura bash-4.3.orig/subst.c bash-4.3/subst.c
---- bash-4.3.orig/subst.c 2014-09-24 14:45:32.640988023 -0300
-+++ bash-4.3/subst.c 2014-09-24 14:45:48.882540941 -0300
-@@ -1192,12 +1192,18 @@
- Start extracting at (SINDEX) as if we had just seen "<(".
- Make (SINDEX) get the position of the matching ")". */ /*))*/
- char *
--extract_process_subst (string, starter, sindex)
-+extract_process_subst (string, starter, sindex, xflags)
- char *string;
- char *starter;
- int *sindex;
-+ int xflags;
- {
-+#if 0
- return (extract_delimited_string (string, sindex, starter, "(", ")", SX_COMMAND));
-+#else
-+ xflags |= (no_longjmp_on_fatal_error ? SX_NOLONGJMP : 0);
-+ return (xparse_dolparen (string, string+*sindex, sindex, xflags));
-+#endif
- }
- #endif /* PROCESS_SUBSTITUTION */
-
-@@ -1785,7 +1791,7 @@
- si = i + 2;
- if (string[si] == '\0')
- CQ_RETURN(si);
-- temp = extract_process_subst (string, (c == '<') ? "<(" : ">(", &si);
-+ temp = extract_process_subst (string, (c == '<') ? "<(" : ">(", &si, 0);
- free (temp); /* no SX_ALLOC here */
- i = si;
- if (string[i] == '\0')
-@@ -3248,8 +3254,10 @@
- if (w->word == 0 || w->word[0] == '\0')
- return ((char *)NULL);
-
-+ expand_no_split_dollar_star = 1;
- w->flags |= W_NOSPLIT2;
- l = call_expand_word_internal (w, 0, 0, (int *)0, (int *)0);
-+ expand_no_split_dollar_star = 0;
- if (l)
- {
- if (special == 0) /* LHS */
-@@ -7366,7 +7374,13 @@
- }
-
- if (want_indir)
-- tdesc = parameter_brace_expand_indir (name + 1, var_is_special, quoted, quoted_dollar_atp, contains_dollar_at);
-+ {
-+ tdesc = parameter_brace_expand_indir (name + 1, var_is_special, quoted, quoted_dollar_atp, contains_dollar_at);
-+ /* Turn off the W_ARRAYIND flag because there is no way for this function
-+ to return the index we're supposed to be using. */
-+ if (tdesc && tdesc->flags)
-+ tdesc->flags &= ~W_ARRAYIND;
-+ }
- else
- tdesc = parameter_brace_expand_word (name, var_is_special, quoted, PF_IGNUNBOUND|(pflags&(PF_NOSPLIT2|PF_ASSIGNRHS)), &ind);
-
-@@ -7847,6 +7861,10 @@
- We also want to make sure that splitting is done no matter what --
- according to POSIX.2, this expands to a list of the positional
- parameters no matter what IFS is set to. */
-+ /* XXX - what to do when in a context where word splitting is not
-+ performed? Even when IFS is not the default, posix seems to imply
-+ that we behave like unquoted $* ? Maybe we should use PF_NOSPLIT2
-+ here. */
- temp = string_list_dollar_at (list, (pflags & PF_ASSIGNRHS) ? (quoted|Q_DOUBLE_QUOTES) : quoted);
-
- tflag |= W_DOLLARAT;
-@@ -8029,7 +8047,9 @@
-
- goto return0;
- }
-- else if (var = find_variable_last_nameref (temp1))
-+ else if (var && (invisible_p (var) || var_isset (var) == 0))
-+ temp = (char *)NULL;
-+ else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0)
- {
- temp = nameref_cell (var);
- #if defined (ARRAY_VARS)
-@@ -8243,7 +8263,7 @@
- else
- t_index = sindex + 1; /* skip past both '<' and LPAREN */
-
-- temp1 = extract_process_subst (string, (c == '<') ? "<(" : ">(", &t_index); /*))*/
-+ temp1 = extract_process_subst (string, (c == '<') ? "<(" : ">(", &t_index, 0); /*))*/
- sindex = t_index;
-
- /* If the process substitution specification is `<()', we want to
-@@ -8816,6 +8836,7 @@
- else
- {
- char *ifs_chars;
-+ char *tstring;
-
- ifs_chars = (quoted_dollar_at || has_dollar_at) ? ifs_value : (char *)NULL;
-
-@@ -8830,11 +8851,36 @@
- regardless of what else has happened to IFS since the expansion. */
- if (split_on_spaces)
- list = list_string (istring, " ", 1); /* XXX quoted == 1? */
-+ /* If we have $@ (has_dollar_at != 0) and we are in a context where we
-+ don't want to split the result (W_NOSPLIT2), and we are not quoted,
-+ we have already separated the arguments with the first character of
-+ $IFS. In this case, we want to return a list with a single word
-+ with the separator possibly replaced with a space (it's what other
-+ shells seem to do).
-+ quoted_dollar_at is internal to this function and is set if we are
-+ passed an argument that is unquoted (quoted == 0) but we encounter a
-+ double-quoted $@ while expanding it. */
-+ else if (has_dollar_at && quoted_dollar_at == 0 && ifs_chars && quoted == 0 && (word->flags & W_NOSPLIT2))
-+ {
-+ /* Only split and rejoin if we have to */
-+ if (*ifs_chars && *ifs_chars != ' ')
-+ {
-+ list = list_string (istring, *ifs_chars ? ifs_chars : " ", 1);
-+ tstring = string_list (list);
-+ }
-+ else
-+ tstring = istring;
-+ tword = make_bare_word (tstring);
-+ if (tstring != istring)
-+ free (tstring);
-+ goto set_word_flags;
-+ }
- else if (has_dollar_at && ifs_chars)
- list = list_string (istring, *ifs_chars ? ifs_chars : " ", 1);
- else
- {
- tword = make_bare_word (istring);
-+set_word_flags:
- if ((quoted & (Q_DOUBLE_QUOTES|Q_HERE_DOCUMENT)) || (quoted_state == WHOLLY_QUOTED))
- tword->flags |= W_QUOTED;
- if (word->flags & W_ASSIGNMENT)
-diff -Nura bash-4.3.orig/subst.h bash-4.3/subst.h
---- bash-4.3.orig/subst.h 2014-09-24 14:45:32.655988534 -0300
-+++ bash-4.3/subst.h 2014-09-24 14:45:48.871540566 -0300
-@@ -82,7 +82,7 @@
- /* Extract the <( or >( construct in STRING, and return a new string.
- Start extracting at (SINDEX) as if we had just seen "<(".
- Make (SINDEX) get the position just after the matching ")". */
--extern char *extract_process_subst __P((char *, char *, int *));
-+extern char *extract_process_subst __P((char *, char *, int *, int));
- #endif /* PROCESS_SUBSTITUTION */
-
- /* Extract the name of the variable to bind to from the assignment string. */
-diff -Nura bash-4.3.orig/test.c bash-4.3/test.c
---- bash-4.3.orig/test.c 2014-09-24 14:45:32.650988364 -0300
-+++ bash-4.3/test.c 2014-09-24 14:45:48.814538631 -0300
-@@ -646,8 +646,8 @@
- return (v && invisible_p (v) == 0 && var_isset (v) ? TRUE : FALSE);
-
- case 'R':
-- v = find_variable (arg);
-- return (v && invisible_p (v) == 0 && var_isset (v) && nameref_p (v) ? TRUE : FALSE);
-+ v = find_variable_noref (arg);
-+ return ((v && invisible_p (v) == 0 && var_isset (v) && nameref_p (v)) ? TRUE : FALSE);
- }
-
- /* We can't actually get here, but this shuts up gcc. */
-@@ -723,6 +723,7 @@
- case 'o': case 'p': case 'r': case 's': case 't':
- case 'u': case 'v': case 'w': case 'x': case 'z':
- case 'G': case 'L': case 'O': case 'S': case 'N':
-+ case 'R':
- return (1);
- }
-
-diff -Nura bash-4.3.orig/trap.c bash-4.3/trap.c
---- bash-4.3.orig/trap.c 2014-09-24 14:45:32.637987921 -0300
-+++ bash-4.3/trap.c 2014-09-24 14:45:48.815538661 -0300
-@@ -920,7 +920,8 @@
- subst_assign_varlist = 0;
-
- #if defined (JOB_CONTROL)
-- save_pipeline (1); /* XXX only provides one save level */
-+ if (sig != DEBUG_TRAP) /* run_debug_trap does this */
-+ save_pipeline (1); /* XXX only provides one save level */
- #endif
-
- /* If we're in a function, make sure return longjmps come here, too. */
-@@ -940,7 +941,8 @@
- trap_exit_value = last_command_exit_value;
-
- #if defined (JOB_CONTROL)
-- restore_pipeline (1);
-+ if (sig != DEBUG_TRAP) /* run_debug_trap does this */
-+ restore_pipeline (1);
- #endif
-
- subst_assign_varlist = save_subst_varlist;
-diff -Nura bash-4.3.orig/variables.c bash-4.3/variables.c
---- bash-4.3.orig/variables.c 2014-09-24 14:45:32.632987751 -0300
-+++ bash-4.3/variables.c 2014-09-24 14:45:48.880540873 -0300
-@@ -358,13 +358,11 @@
- temp_string[char_index] = ' ';
- strcpy (temp_string + char_index + 1, string);
-
-- if (posixly_correct == 0 || legal_identifier (name))
-- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
--
-- /* Ancient backwards compatibility. Old versions of bash exported
-- functions like name()=() {...} */
-- if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
-- name[char_index - 2] = '\0';
-+ /* Don't import function names that are invalid identifiers from the
-+ environment, though we still allow them to be defined as shell
-+ variables. */
-+ if (legal_identifier (name))
-+ parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
-
- if (temp_var = find_function (name))
- {
-@@ -381,10 +379,6 @@
- last_command_exit_value = 1;
- report_error (_("error importing function definition for `%s'"), name);
- }
--
-- /* ( */
-- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
-- name[char_index - 2] = '('; /* ) */
- }
- #if defined (ARRAY_VARS)
- # if ARRAY_EXPORT
-@@ -2197,10 +2191,7 @@
- /* local foo; local foo; is a no-op. */
- old_var = find_variable (name);
- if (old_var && local_p (old_var) && old_var->context == variable_context)
-- {
-- VUNSETATTR (old_var, att_invisible); /* XXX */
-- return (old_var);
-- }
-+ return (old_var);
-
- was_tmpvar = old_var && tempvar_p (old_var);
- /* If we're making a local variable in a shell function, the temporary env
-diff -Nura bash-4.3.orig/y.tab.c bash-4.3/y.tab.c
---- bash-4.3.orig/y.tab.c 2014-09-24 14:45:32.573985743 -0300
-+++ bash-4.3/y.tab.c 2014-09-24 14:45:48.865540362 -0300
-@@ -4736,7 +4736,7 @@
- not already end in an EOF character. */
- if (shell_input_line_terminator != EOF)
- {
-- if (shell_input_line_size < SIZE_MAX && shell_input_line_len > shell_input_line_size - 3)
-+ if (shell_input_line_size < SIZE_MAX-3 && (shell_input_line_len+3 > shell_input_line_size))
- shell_input_line = (char *)xrealloc (shell_input_line,
- 1 + (shell_input_line_size += 2));
-
-@@ -4954,7 +4954,7 @@
- int r;
-
- r = 0;
-- while (need_here_doc)
-+ while (need_here_doc > 0)
- {
- parser_state |= PST_HEREDOC;
- make_here_document (redir_stack[r++], line_number);
-@@ -5710,7 +5710,7 @@
- within a double-quoted ${...} construct "an even number of
- unescaped double-quotes or single-quotes, if any, shall occur." */
- /* This was changed in Austin Group Interp 221 */
-- if MBTEST(posixly_correct && shell_compatibility_level > 41 && dolbrace_state != DOLBRACE_QUOTE && (flags & P_DQUOTE) && (flags & P_DOLBRACE) && ch == '\'')
-+ if MBTEST(posixly_correct && shell_compatibility_level > 41 && dolbrace_state != DOLBRACE_QUOTE && dolbrace_state != DOLBRACE_QUOTE2 && (flags & P_DQUOTE) && (flags & P_DOLBRACE) && ch == '\'')
- continue;
-
- /* Could also check open == '`' if we want to parse grouping constructs
-@@ -8387,6 +8387,7 @@
-
- ps->expand_aliases = expand_aliases;
- ps->echo_input_at_read = echo_input_at_read;
-+ ps->need_here_doc = need_here_doc;
-
- ps->token = token;
- ps->token_buffer_size = token_buffer_size;
-@@ -8435,6 +8436,7 @@
-
- expand_aliases = ps->expand_aliases;
- echo_input_at_read = ps->echo_input_at_read;
-+ need_here_doc = ps->need_here_doc;
-
- FREE (token);
- token = ps->token;
--- /dev/null
+Update bash to patchlevel 27.
+It's basically a single patch made out from
+http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/ (bash43-001 to 027).
+Fixes CVE-2014-6271 (level 25):
+Under certain circumstances, bash will execute user code while processing the
+environment for exported function definitions.
+Level 26-27 are refinements/improved fixes on CVE-2014-6271.
+
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+
+diff -Nura bash-4.3/arrayfunc.c bash-4.3.pl27/arrayfunc.c
+--- bash-4.3/arrayfunc.c 2013-08-02 17:19:59.000000000 -0300
++++ bash-4.3.pl27/arrayfunc.c 2014-09-28 08:13:40.311842889 -0300
+@@ -179,6 +179,7 @@
+ array_insert (array_cell (entry), ind, newval);
+ FREE (newval);
+
++ VUNSETATTR (entry, att_invisible); /* no longer invisible */
+ return (entry);
+ }
+
+@@ -597,6 +598,11 @@
+ if (assoc_p (var))
+ {
+ val = expand_assignment_string_to_string (val, 0);
++ if (val == 0)
++ {
++ val = (char *)xmalloc (1);
++ val[0] = '\0'; /* like do_assignment_internal */
++ }
+ free_val = 1;
+ }
+
+diff -Nura bash-4.3/bashline.c bash-4.3.pl27/bashline.c
+--- bash-4.3/bashline.c 2014-02-09 21:56:58.000000000 -0300
++++ bash-4.3.pl27/bashline.c 2014-09-28 08:13:40.312842925 -0300
+@@ -4167,9 +4167,16 @@
+ int qc;
+
+ qc = rl_dispatching ? rl_completion_quote_character : 0;
+- dfn = bash_dequote_filename ((char *)text, qc);
++ /* If rl_completion_found_quote != 0, rl_completion_matches will call the
++ filename dequoting function, causing the directory name to be dequoted
++ twice. */
++ if (rl_dispatching && rl_completion_found_quote == 0)
++ dfn = bash_dequote_filename ((char *)text, qc);
++ else
++ dfn = (char *)text;
+ m1 = rl_completion_matches (dfn, rl_filename_completion_function);
+- free (dfn);
++ if (dfn != text)
++ free (dfn);
+
+ if (m1 == 0 || m1[0] == 0)
+ return m1;
+diff -Nura bash-4.3/builtins/common.h bash-4.3.pl27/builtins/common.h
+--- bash-4.3/builtins/common.h 2013-07-08 17:54:47.000000000 -0300
++++ bash-4.3.pl27/builtins/common.h 2014-09-28 08:13:40.313842959 -0300
+@@ -33,6 +33,8 @@
+ #define SEVAL_RESETLINE 0x010
+ #define SEVAL_PARSEONLY 0x020
+ #define SEVAL_NOLONGJMP 0x040
++#define SEVAL_FUNCDEF 0x080 /* only allow function definitions */
++#define SEVAL_ONECMD 0x100 /* only allow a single command */
+
+ /* Flags for describe_command, shared between type.def and command.def */
+ #define CDESC_ALL 0x001 /* type -a */
+diff -Nura bash-4.3/builtins/evalstring.c bash-4.3.pl27/builtins/evalstring.c
+--- bash-4.3/builtins/evalstring.c 2014-02-11 11:42:10.000000000 -0300
++++ bash-4.3.pl27/builtins/evalstring.c 2014-09-28 08:13:40.313842959 -0300
+@@ -308,6 +308,14 @@
+ {
+ struct fd_bitmap *bitmap;
+
++ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
++ {
++ internal_warning ("%s: ignoring function definition attempt", from_file);
++ should_jump_to_top_level = 0;
++ last_result = last_command_exit_value = EX_BADUSAGE;
++ break;
++ }
++
+ bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
+ begin_unwind_frame ("pe_dispose");
+ add_unwind_protect (dispose_fd_bitmap, bitmap);
+@@ -368,6 +376,9 @@
+ dispose_command (command);
+ dispose_fd_bitmap (bitmap);
+ discard_unwind_frame ("pe_dispose");
++
++ if (flags & SEVAL_ONECMD)
++ break;
+ }
+ }
+ else
+diff -Nura bash-4.3/builtins/read.def bash-4.3.pl27/builtins/read.def
+--- bash-4.3/builtins/read.def 2013-09-02 12:54:00.000000000 -0300
++++ bash-4.3.pl27/builtins/read.def 2014-09-28 08:13:40.313842959 -0300
+@@ -442,7 +442,10 @@
+ add_unwind_protect (reset_alarm, (char *)NULL);
+ #if defined (READLINE)
+ if (edit)
+- add_unwind_protect (reset_attempted_completion_function, (char *)NULL);
++ {
++ add_unwind_protect (reset_attempted_completion_function, (char *)NULL);
++ add_unwind_protect (bashline_reset_event_hook, (char *)NULL);
++ }
+ #endif
+ falarm (tmsec, tmusec);
+ }
+@@ -1021,6 +1024,7 @@
+
+ old_attempted_completion_function = rl_attempted_completion_function;
+ rl_attempted_completion_function = (rl_completion_func_t *)NULL;
++ bashline_set_event_hook ();
+ if (itext)
+ {
+ old_startup_hook = rl_startup_hook;
+@@ -1032,6 +1036,7 @@
+
+ rl_attempted_completion_function = old_attempted_completion_function;
+ old_attempted_completion_function = (rl_completion_func_t *)NULL;
++ bashline_reset_event_hook ();
+
+ if (ret == 0)
+ return ret;
+diff -Nura bash-4.3/execute_cmd.c bash-4.3.pl27/execute_cmd.c
+--- bash-4.3/execute_cmd.c 2014-01-31 12:54:52.000000000 -0300
++++ bash-4.3.pl27/execute_cmd.c 2014-09-28 08:13:40.315843026 -0300
+@@ -2409,7 +2409,16 @@
+ #endif
+ lstdin = wait_for (lastpid);
+ #if defined (JOB_CONTROL)
+- exec_result = job_exit_status (lastpipe_jid);
++ /* If wait_for removes the job from the jobs table, use result of last
++ command as pipeline's exit status as usual. The jobs list can get
++ frozen and unfrozen at inconvenient times if there are multiple pipelines
++ running simultaneously. */
++ if (INVALID_JOB (lastpipe_jid) == 0)
++ exec_result = job_exit_status (lastpipe_jid);
++ else if (pipefail_opt)
++ exec_result = exec_result | lstdin; /* XXX */
++ /* otherwise we use exec_result */
++
+ #endif
+ unfreeze_jobs_list ();
+ }
+diff -Nura bash-4.3/externs.h bash-4.3.pl27/externs.h
+--- bash-4.3/externs.h 2014-01-02 16:58:20.000000000 -0300
++++ bash-4.3.pl27/externs.h 2014-09-28 08:13:40.315843026 -0300
+@@ -324,6 +324,7 @@
+ extern char *sh_backslash_quote __P((char *, const char *, int));
+ extern char *sh_backslash_quote_for_double_quotes __P((char *));
+ extern int sh_contains_shell_metas __P((char *));
++extern int sh_contains_quotes __P((char *));
+
+ /* declarations for functions defined in lib/sh/spell.c */
+ extern int spname __P((char *, char *));
+diff -Nura bash-4.3/jobs.c bash-4.3.pl27/jobs.c
+--- bash-4.3/jobs.c 2014-01-10 11:05:34.000000000 -0300
++++ bash-4.3.pl27/jobs.c 2014-09-28 08:13:40.316843059 -0300
+@@ -3597,6 +3597,7 @@
+ unwind_protect_int (jobs_list_frozen);
+ unwind_protect_pointer (the_pipeline);
+ unwind_protect_pointer (subst_assign_varlist);
++ unwind_protect_pointer (this_shell_builtin);
+
+ /* We have to add the commands this way because they will be run
+ in reverse order of adding. We don't want maybe_set_sigchld_trap ()
+@@ -4374,7 +4375,7 @@
+ void
+ end_job_control ()
+ {
+- if (interactive_shell) /* XXX - should it be interactive? */
++ if (interactive_shell || job_control) /* XXX - should it be just job_control? */
+ {
+ terminate_stopped_jobs ();
+
+diff -Nura bash-4.3/lib/glob/glob.c bash-4.3.pl27/lib/glob/glob.c
+--- bash-4.3/lib/glob/glob.c 2014-01-31 23:43:51.000000000 -0300
++++ bash-4.3.pl27/lib/glob/glob.c 2014-09-28 08:13:40.317843093 -0300
+@@ -123,6 +123,8 @@
+ extern char *glob_patscan __P((char *, char *, int));
+ extern wchar_t *glob_patscan_wc __P((wchar_t *, wchar_t *, int));
+
++extern char *glob_dirscan __P((char *, int));
++
+ /* Compile `glob_loop.c' for single-byte characters. */
+ #define CHAR unsigned char
+ #define INT int
+@@ -179,42 +181,53 @@
+ char *pat, *dname;
+ int flags;
+ {
+- char *pp, *pe, *t;
+- int n, r;
++ char *pp, *pe, *t, *se;
++ int n, r, negate;
+
++ negate = *pat == '!';
+ pp = pat + 2;
+- pe = pp + strlen (pp) - 1; /*(*/
+- if (*pe != ')')
++ se = pp + strlen (pp) - 1; /* end of string */
++ pe = glob_patscan (pp, se, 0); /* end of extglob pattern (( */
++ /* we should check for invalid extglob pattern here */
++ if (pe == 0)
+ return 0;
+- if ((t = strchr (pp, '|')) == 0) /* easy case first */
++
++ /* if pe != se we have more of the pattern at the end of the extglob
++ pattern. Check the easy case first ( */
++ if (pe == se && *pe == ')' && (t = strchr (pp, '|')) == 0)
+ {
+ *pe = '\0';
++#if defined (HANDLE_MULTIBYTE)
++ r = mbskipname (pp, dname, flags);
++#else
+ r = skipname (pp, dname, flags); /*(*/
++#endif
+ *pe = ')';
+ return r;
+ }
++
++ /* check every subpattern */
+ while (t = glob_patscan (pp, pe, '|'))
+ {
+ n = t[-1];
+ t[-1] = '\0';
++#if defined (HANDLE_MULTIBYTE)
++ r = mbskipname (pp, dname, flags);
++#else
+ r = skipname (pp, dname, flags);
++#endif
+ t[-1] = n;
+ if (r == 0) /* if any pattern says not skip, we don't skip */
+ return r;
+ pp = t;
+ } /*(*/
+
+- if (pp == pe) /* glob_patscan might find end of pattern */
++ /* glob_patscan might find end of pattern */
++ if (pp == se)
+ return r;
+
+- *pe = '\0';
+-# if defined (HANDLE_MULTIBYTE)
+- r = mbskipname (pp, dname, flags); /*(*/
+-# else
+- r = skipname (pp, dname, flags); /*(*/
+-# endif
+- *pe = ')';
+- return r;
++ /* but if it doesn't then we didn't match a leading dot */
++ return 0;
+ }
+ #endif
+
+@@ -277,20 +290,23 @@
+ int flags;
+ {
+ #if EXTENDED_GLOB
+- wchar_t *pp, *pe, *t, n;
+- int r;
++ wchar_t *pp, *pe, *t, n, *se;
++ int r, negate;
+
++ negate = *pat == L'!';
+ pp = pat + 2;
+- pe = pp + wcslen (pp) - 1; /*(*/
+- if (*pe != L')')
+- return 0;
+- if ((t = wcschr (pp, L'|')) == 0)
++ se = pp + wcslen (pp) - 1; /*(*/
++ pe = glob_patscan_wc (pp, se, 0);
++
++ if (pe == se && *pe == ')' && (t = wcschr (pp, L'|')) == 0)
+ {
+ *pe = L'\0';
+ r = wchkname (pp, dname); /*(*/
+ *pe = L')';
+ return r;
+ }
++
++ /* check every subpattern */
+ while (t = glob_patscan_wc (pp, pe, '|'))
+ {
+ n = t[-1];
+@@ -305,10 +321,8 @@
+ if (pp == pe) /* glob_patscan_wc might find end of pattern */
+ return r;
+
+- *pe = L'\0';
+- r = wchkname (pp, dname); /*(*/
+- *pe = L')';
+- return r;
++ /* but if it doesn't then we didn't match a leading dot */
++ return 0;
+ #else
+ return (wchkname (pat, dname));
+ #endif
+@@ -1006,7 +1020,7 @@
+ {
+ char **result;
+ unsigned int result_size;
+- char *directory_name, *filename, *dname;
++ char *directory_name, *filename, *dname, *fn;
+ unsigned int directory_len;
+ int free_dirname; /* flag */
+ int dflags;
+@@ -1022,6 +1036,18 @@
+
+ /* Find the filename. */
+ filename = strrchr (pathname, '/');
++#if defined (EXTENDED_GLOB)
++ if (filename && extended_glob)
++ {
++ fn = glob_dirscan (pathname, '/');
++#if DEBUG_MATCHING
++ if (fn != filename)
++ fprintf (stderr, "glob_filename: glob_dirscan: fn (%s) != filename (%s)\n", fn ? fn : "(null)", filename);
++#endif
++ filename = fn;
++ }
++#endif
++
+ if (filename == NULL)
+ {
+ filename = pathname;
+diff -Nura bash-4.3/lib/glob/gmisc.c bash-4.3.pl27/lib/glob/gmisc.c
+--- bash-4.3/lib/glob/gmisc.c 2013-10-28 15:45:25.000000000 -0300
++++ bash-4.3.pl27/lib/glob/gmisc.c 2014-09-28 08:13:40.317843093 -0300
+@@ -42,6 +42,8 @@
+ #define WLPAREN L'('
+ #define WRPAREN L')'
+
++extern char *glob_patscan __P((char *, char *, int));
++
+ /* Return 1 of the first character of WSTRING could match the first
+ character of pattern WPAT. Wide character version. */
+ int
+@@ -210,6 +212,7 @@
+ case '+':
+ case '!':
+ case '@':
++ case '?':
+ return (pat[1] == LPAREN);
+ default:
+ return 0;
+@@ -374,3 +377,34 @@
+
+ return matlen;
+ }
++
++/* Skip characters in PAT and return the final occurrence of DIRSEP. This
++ is only called when extended_glob is set, so we have to skip over extglob
++ patterns x(...) */
++char *
++glob_dirscan (pat, dirsep)
++ char *pat;
++ int dirsep;
++{
++ char *p, *d, *pe, *se;
++
++ d = pe = se = 0;
++ for (p = pat; p && *p; p++)
++ {
++ if (extglob_pattern_p (p))
++ {
++ if (se == 0)
++ se = p + strlen (p) - 1;
++ pe = glob_patscan (p + 2, se, 0);
++ if (pe == 0)
++ continue;
++ else if (*pe == 0)
++ break;
++ p = pe - 1; /* will do increment above */
++ continue;
++ }
++ if (*p == dirsep)
++ d = p;
++ }
++ return d;
++}
+diff -Nura bash-4.3/lib/readline/display.c bash-4.3.pl27/lib/readline/display.c
+--- bash-4.3/lib/readline/display.c 2013-12-27 15:10:56.000000000 -0300
++++ bash-4.3.pl27/lib/readline/display.c 2014-09-28 08:13:40.318843127 -0300
+@@ -1637,7 +1637,7 @@
+ /* If we are changing the number of invisible characters in a line, and
+ the spot of first difference is before the end of the invisible chars,
+ lendiff needs to be adjusted. */
+- if (current_line == 0 && !_rl_horizontal_scroll_mode &&
++ if (current_line == 0 && /* !_rl_horizontal_scroll_mode && */
+ current_invis_chars != visible_wrap_offset)
+ {
+ if (MB_CUR_MAX > 1 && rl_byte_oriented == 0)
+@@ -1825,8 +1825,13 @@
+ else
+ _rl_last_c_pos += bytes_to_insert;
+
++ /* XXX - we only want to do this if we are at the end of the line
++ so we move there with _rl_move_cursor_relative */
+ if (_rl_horizontal_scroll_mode && ((oe-old) > (ne-new)))
+- goto clear_rest_of_line;
++ {
++ _rl_move_cursor_relative (ne-new, new);
++ goto clear_rest_of_line;
++ }
+ }
+ }
+ /* Otherwise, print over the existing material. */
+@@ -2677,7 +2682,8 @@
+ {
+ if (_rl_echoing_p)
+ {
+- _rl_move_vert (_rl_vis_botlin);
++ if (_rl_vis_botlin > 0) /* minor optimization plus bug fix */
++ _rl_move_vert (_rl_vis_botlin);
+ _rl_vis_botlin = 0;
+ fflush (rl_outstream);
+ rl_restart_output (1, 0);
+diff -Nura bash-4.3/lib/readline/input.c bash-4.3.pl27/lib/readline/input.c
+--- bash-4.3/lib/readline/input.c 2014-01-10 17:07:08.000000000 -0300
++++ bash-4.3.pl27/lib/readline/input.c 2014-09-28 08:13:40.318843127 -0300
+@@ -534,8 +534,16 @@
+ return (RL_ISSTATE (RL_STATE_READCMD) ? READERR : EOF);
+ else if (_rl_caught_signal == SIGHUP || _rl_caught_signal == SIGTERM)
+ return (RL_ISSTATE (RL_STATE_READCMD) ? READERR : EOF);
++ /* keyboard-generated signals of interest */
+ else if (_rl_caught_signal == SIGINT || _rl_caught_signal == SIGQUIT)
+ RL_CHECK_SIGNALS ();
++ /* non-keyboard-generated signals of interest */
++ else if (_rl_caught_signal == SIGALRM
++#if defined (SIGVTALRM)
++ || _rl_caught_signal == SIGVTALRM
++#endif
++ )
++ RL_CHECK_SIGNALS ();
+
+ if (rl_signal_event_hook)
+ (*rl_signal_event_hook) ();
+diff -Nura bash-4.3/lib/readline/misc.c bash-4.3.pl27/lib/readline/misc.c
+--- bash-4.3/lib/readline/misc.c 2012-09-01 19:03:11.000000000 -0300
++++ bash-4.3.pl27/lib/readline/misc.c 2014-09-28 08:13:40.319843161 -0300
+@@ -461,6 +461,7 @@
+ saved_undo_list = 0;
+ /* Set up rl_line_buffer and other variables from history entry */
+ rl_replace_from_history (entry, 0); /* entry->line is now current */
++ entry->data = 0; /* entry->data is now current undo list */
+ /* Undo all changes to this history entry */
+ while (rl_undo_list)
+ rl_do_undo ();
+@@ -468,7 +469,6 @@
+ the timestamp. */
+ FREE (entry->line);
+ entry->line = savestring (rl_line_buffer);
+- entry->data = 0;
+ }
+ entry = previous_history ();
+ }
+diff -Nura bash-4.3/lib/readline/readline.c bash-4.3.pl27/lib/readline/readline.c
+--- bash-4.3/lib/readline/readline.c 2013-10-28 15:58:06.000000000 -0300
++++ bash-4.3.pl27/lib/readline/readline.c 2014-09-28 08:13:40.319843161 -0300
+@@ -744,7 +744,8 @@
+ r = _rl_subseq_result (r, cxt->oldmap, cxt->okey, (cxt->flags & KSEQ_SUBSEQ));
+
+ RL_CHECK_SIGNALS ();
+- if (r == 0) /* success! */
++ /* We only treat values < 0 specially to simulate recursion. */
++ if (r >= 0 || (r == -1 && (cxt->flags & KSEQ_SUBSEQ) == 0)) /* success! or failure! */
+ {
+ _rl_keyseq_chain_dispose ();
+ RL_UNSETSTATE (RL_STATE_MULTIKEY);
+@@ -964,7 +965,7 @@
+ #if defined (VI_MODE)
+ if (rl_editing_mode == vi_mode && _rl_keymap == vi_movement_keymap &&
+ key != ANYOTHERKEY &&
+- rl_key_sequence_length == 1 && /* XXX */
++ _rl_dispatching_keymap == vi_movement_keymap &&
+ _rl_vi_textmod_command (key))
+ _rl_vi_set_last (key, rl_numeric_arg, rl_arg_sign);
+ #endif
+diff -Nura bash-4.3/lib/sh/shquote.c bash-4.3.pl27/lib/sh/shquote.c
+--- bash-4.3/lib/sh/shquote.c 2013-03-31 22:53:32.000000000 -0300
++++ bash-4.3.pl27/lib/sh/shquote.c 2014-09-28 08:13:40.319843161 -0300
+@@ -311,3 +311,17 @@
+
+ return (0);
+ }
++
++int
++sh_contains_quotes (string)
++ char *string;
++{
++ char *s;
++
++ for (s = string; s && *s; s++)
++ {
++ if (*s == '\'' || *s == '"' || *s == '\\')
++ return 1;
++ }
++ return 0;
++}
+diff -Nura bash-4.3/parse.y bash-4.3.pl27/parse.y
+--- bash-4.3/parse.y 2014-02-11 11:42:10.000000000 -0300
++++ bash-4.3.pl27/parse.y 2014-09-28 08:14:06.094720199 -0300
+@@ -2424,7 +2424,7 @@
+ not already end in an EOF character. */
+ if (shell_input_line_terminator != EOF)
+ {
+- if (shell_input_line_size < SIZE_MAX && shell_input_line_len > shell_input_line_size - 3)
++ if (shell_input_line_size < SIZE_MAX-3 && (shell_input_line_len+3 > shell_input_line_size))
+ shell_input_line = (char *)xrealloc (shell_input_line,
+ 1 + (shell_input_line_size += 2));
+
+@@ -2642,7 +2642,7 @@
+ int r;
+
+ r = 0;
+- while (need_here_doc)
++ while (need_here_doc > 0)
+ {
+ parser_state |= PST_HEREDOC;
+ make_here_document (redir_stack[r++], line_number);
+@@ -2953,6 +2953,8 @@
+ FREE (word_desc_to_read);
+ word_desc_to_read = (WORD_DESC *)NULL;
+
++ eol_ungetc_lookahead = 0;
++
+ current_token = '\n'; /* XXX */
+ last_read_token = '\n';
+ token_to_read = '\n';
+@@ -3398,7 +3400,7 @@
+ within a double-quoted ${...} construct "an even number of
+ unescaped double-quotes or single-quotes, if any, shall occur." */
+ /* This was changed in Austin Group Interp 221 */
+- if MBTEST(posixly_correct && shell_compatibility_level > 41 && dolbrace_state != DOLBRACE_QUOTE && (flags & P_DQUOTE) && (flags & P_DOLBRACE) && ch == '\'')
++ if MBTEST(posixly_correct && shell_compatibility_level > 41 && dolbrace_state != DOLBRACE_QUOTE && dolbrace_state != DOLBRACE_QUOTE2 && (flags & P_DQUOTE) && (flags & P_DOLBRACE) && ch == '\'')
+ continue;
+
+ /* Could also check open == '`' if we want to parse grouping constructs
+@@ -6075,6 +6077,7 @@
+
+ ps->expand_aliases = expand_aliases;
+ ps->echo_input_at_read = echo_input_at_read;
++ ps->need_here_doc = need_here_doc;
+
+ ps->token = token;
+ ps->token_buffer_size = token_buffer_size;
+@@ -6123,6 +6126,7 @@
+
+ expand_aliases = ps->expand_aliases;
+ echo_input_at_read = ps->echo_input_at_read;
++ need_here_doc = ps->need_here_doc;
+
+ FREE (token);
+ token = ps->token;
+diff -Nura bash-4.3/patchlevel.h bash-4.3.pl27/patchlevel.h
+--- bash-4.3/patchlevel.h 2012-12-29 12:47:57.000000000 -0300
++++ bash-4.3.pl27/patchlevel.h 2014-09-28 08:14:07.486767564 -0300
+@@ -25,6 +25,6 @@
+ regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh
+ looks for to find the patch level (for the sccs version string). */
+
+-#define PATCHLEVEL 0
++#define PATCHLEVEL 27
+
+ #endif /* _PATCHLEVEL_H_ */
+diff -Nura bash-4.3/pcomplete.c bash-4.3.pl27/pcomplete.c
+--- bash-4.3/pcomplete.c 2013-08-26 16:23:45.000000000 -0300
++++ bash-4.3.pl27/pcomplete.c 2014-09-28 08:13:40.321843229 -0300
+@@ -183,6 +183,7 @@
+
+ COMPSPEC *pcomp_curcs;
+ const char *pcomp_curcmd;
++const char *pcomp_curtxt;
+
+ #ifdef DEBUG
+ /* Debugging code */
+@@ -753,6 +754,32 @@
+ quoted strings. */
+ dfn = (*rl_filename_dequoting_function) ((char *)text, rl_completion_quote_character);
+ }
++ /* Intended to solve a mismatched assumption by bash-completion. If
++ the text to be completed is empty, but bash-completion turns it into
++ a quoted string ('') assuming that this code will dequote it before
++ calling readline, do the dequoting. */
++ else if (iscompgen && iscompleting &&
++ pcomp_curtxt && *pcomp_curtxt == 0 &&
++ text && (*text == '\'' || *text == '"') && text[1] == text[0] && text[2] == 0 &&
++ rl_filename_dequoting_function)
++ dfn = (*rl_filename_dequoting_function) ((char *)text, rl_completion_quote_character);
++ /* Another mismatched assumption by bash-completion. If compgen is being
++ run as part of bash-completion, and the argument to compgen is not
++ the same as the word originally passed to the programmable completion
++ code, dequote the argument if it has quote characters. It's an
++ attempt to detect when bash-completion is quoting its filename
++ argument before calling compgen. */
++ /* We could check whether gen_shell_function_matches is in the call
++ stack by checking whether the gen-shell-function-matches tag is in
++ the unwind-protect stack, but there's no function to do that yet.
++ We could simply check whether we're executing in a function by
++ checking variable_context, and may end up doing that. */
++ else if (iscompgen && iscompleting && rl_filename_dequoting_function &&
++ pcomp_curtxt && text &&
++ STREQ (pcomp_curtxt, text) == 0 &&
++ variable_context &&
++ sh_contains_quotes (text)) /* guess */
++ dfn = (*rl_filename_dequoting_function) ((char *)text, rl_completion_quote_character);
+ else
+ dfn = savestring (text);
+ }
+@@ -1522,7 +1549,7 @@
+ COMPSPEC **lastcs;
+ {
+ COMPSPEC *cs, *oldcs;
+- const char *oldcmd;
++ const char *oldcmd, *oldtxt;
+ STRINGLIST *ret;
+
+ cs = progcomp_search (ocmd);
+@@ -1545,14 +1572,17 @@
+
+ oldcs = pcomp_curcs;
+ oldcmd = pcomp_curcmd;
++ oldtxt = pcomp_curtxt;
+
+ pcomp_curcs = cs;
+ pcomp_curcmd = cmd;
++ pcomp_curtxt = word;
+
+ ret = gen_compspec_completions (cs, cmd, word, start, end, foundp);
+
+ pcomp_curcs = oldcs;
+ pcomp_curcmd = oldcmd;
++ pcomp_curtxt = oldtxt;
+
+ /* We need to conditionally handle setting *retryp here */
+ if (retryp)
+diff -Nura bash-4.3/shell.h bash-4.3.pl27/shell.h
+--- bash-4.3/shell.h 2012-12-25 23:11:01.000000000 -0300
++++ bash-4.3.pl27/shell.h 2014-09-28 08:13:40.321843229 -0300
+@@ -168,7 +168,8 @@
+ /* flags state affecting the parser */
+ int expand_aliases;
+ int echo_input_at_read;
+-
++ int need_here_doc;
++
+ } sh_parser_state_t;
+
+ typedef struct _sh_input_line_state_t {
+diff -Nura bash-4.3/subst.c bash-4.3.pl27/subst.c
+--- bash-4.3/subst.c 2014-01-23 18:26:37.000000000 -0300
++++ bash-4.3.pl27/subst.c 2014-09-28 08:13:40.322843263 -0300
+@@ -1192,12 +1192,18 @@
+ Start extracting at (SINDEX) as if we had just seen "<(".
+ Make (SINDEX) get the position of the matching ")". */ /*))*/
+ char *
+-extract_process_subst (string, starter, sindex)
++extract_process_subst (string, starter, sindex, xflags)
+ char *string;
+ char *starter;
+ int *sindex;
++ int xflags;
+ {
++#if 0
+ return (extract_delimited_string (string, sindex, starter, "(", ")", SX_COMMAND));
++#else
++ xflags |= (no_longjmp_on_fatal_error ? SX_NOLONGJMP : 0);
++ return (xparse_dolparen (string, string+*sindex, sindex, xflags));
++#endif
+ }
+ #endif /* PROCESS_SUBSTITUTION */
+
+@@ -1785,7 +1791,7 @@
+ si = i + 2;
+ if (string[si] == '\0')
+ CQ_RETURN(si);
+- temp = extract_process_subst (string, (c == '<') ? "<(" : ">(", &si);
++ temp = extract_process_subst (string, (c == '<') ? "<(" : ">(", &si, 0);
+ free (temp); /* no SX_ALLOC here */
+ i = si;
+ if (string[i] == '\0')
+@@ -3248,8 +3254,10 @@
+ if (w->word == 0 || w->word[0] == '\0')
+ return ((char *)NULL);
+
++ expand_no_split_dollar_star = 1;
+ w->flags |= W_NOSPLIT2;
+ l = call_expand_word_internal (w, 0, 0, (int *)0, (int *)0);
++ expand_no_split_dollar_star = 0;
+ if (l)
+ {
+ if (special == 0) /* LHS */
+@@ -7366,7 +7374,13 @@
+ }
+
+ if (want_indir)
+- tdesc = parameter_brace_expand_indir (name + 1, var_is_special, quoted, quoted_dollar_atp, contains_dollar_at);
++ {
++ tdesc = parameter_brace_expand_indir (name + 1, var_is_special, quoted, quoted_dollar_atp, contains_dollar_at);
++ /* Turn off the W_ARRAYIND flag because there is no way for this function
++ to return the index we're supposed to be using. */
++ if (tdesc && tdesc->flags)
++ tdesc->flags &= ~W_ARRAYIND;
++ }
+ else
+ tdesc = parameter_brace_expand_word (name, var_is_special, quoted, PF_IGNUNBOUND|(pflags&(PF_NOSPLIT2|PF_ASSIGNRHS)), &ind);
+
+@@ -7847,6 +7861,10 @@
+ We also want to make sure that splitting is done no matter what --
+ according to POSIX.2, this expands to a list of the positional
+ parameters no matter what IFS is set to. */
++ /* XXX - what to do when in a context where word splitting is not
++ performed? Even when IFS is not the default, posix seems to imply
++ that we behave like unquoted $* ? Maybe we should use PF_NOSPLIT2
++ here. */
+ temp = string_list_dollar_at (list, (pflags & PF_ASSIGNRHS) ? (quoted|Q_DOUBLE_QUOTES) : quoted);
+
+ tflag |= W_DOLLARAT;
+@@ -8029,7 +8047,9 @@
+
+ goto return0;
+ }
+- else if (var = find_variable_last_nameref (temp1))
++ else if (var && (invisible_p (var) || var_isset (var) == 0))
++ temp = (char *)NULL;
++ else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0)
+ {
+ temp = nameref_cell (var);
+ #if defined (ARRAY_VARS)
+@@ -8243,7 +8263,7 @@
+ else
+ t_index = sindex + 1; /* skip past both '<' and LPAREN */
+
+- temp1 = extract_process_subst (string, (c == '<') ? "<(" : ">(", &t_index); /*))*/
++ temp1 = extract_process_subst (string, (c == '<') ? "<(" : ">(", &t_index, 0); /*))*/
+ sindex = t_index;
+
+ /* If the process substitution specification is `<()', we want to
+@@ -8816,6 +8836,7 @@
+ else
+ {
+ char *ifs_chars;
++ char *tstring;
+
+ ifs_chars = (quoted_dollar_at || has_dollar_at) ? ifs_value : (char *)NULL;
+
+@@ -8830,11 +8851,36 @@
+ regardless of what else has happened to IFS since the expansion. */
+ if (split_on_spaces)
+ list = list_string (istring, " ", 1); /* XXX quoted == 1? */
++ /* If we have $@ (has_dollar_at != 0) and we are in a context where we
++ don't want to split the result (W_NOSPLIT2), and we are not quoted,
++ we have already separated the arguments with the first character of
++ $IFS. In this case, we want to return a list with a single word
++ with the separator possibly replaced with a space (it's what other
++ shells seem to do).
++ quoted_dollar_at is internal to this function and is set if we are
++ passed an argument that is unquoted (quoted == 0) but we encounter a
++ double-quoted $@ while expanding it. */
++ else if (has_dollar_at && quoted_dollar_at == 0 && ifs_chars && quoted == 0 && (word->flags & W_NOSPLIT2))
++ {
++ /* Only split and rejoin if we have to */
++ if (*ifs_chars && *ifs_chars != ' ')
++ {
++ list = list_string (istring, *ifs_chars ? ifs_chars : " ", 1);
++ tstring = string_list (list);
++ }
++ else
++ tstring = istring;
++ tword = make_bare_word (tstring);
++ if (tstring != istring)
++ free (tstring);
++ goto set_word_flags;
++ }
+ else if (has_dollar_at && ifs_chars)
+ list = list_string (istring, *ifs_chars ? ifs_chars : " ", 1);
+ else
+ {
+ tword = make_bare_word (istring);
++set_word_flags:
+ if ((quoted & (Q_DOUBLE_QUOTES|Q_HERE_DOCUMENT)) || (quoted_state == WHOLLY_QUOTED))
+ tword->flags |= W_QUOTED;
+ if (word->flags & W_ASSIGNMENT)
+diff -Nura bash-4.3/subst.h bash-4.3.pl27/subst.h
+--- bash-4.3/subst.h 2014-01-11 23:02:27.000000000 -0300
++++ bash-4.3.pl27/subst.h 2014-09-28 08:13:40.322843263 -0300
+@@ -82,7 +82,7 @@
+ /* Extract the <( or >( construct in STRING, and return a new string.
+ Start extracting at (SINDEX) as if we had just seen "<(".
+ Make (SINDEX) get the position just after the matching ")". */
+-extern char *extract_process_subst __P((char *, char *, int *));
++extern char *extract_process_subst __P((char *, char *, int *, int));
+ #endif /* PROCESS_SUBSTITUTION */
+
+ /* Extract the name of the variable to bind to from the assignment string. */
+diff -Nura bash-4.3/test.c bash-4.3.pl27/test.c
+--- bash-4.3/test.c 2014-02-04 18:52:58.000000000 -0300
++++ bash-4.3.pl27/test.c 2014-09-28 08:13:40.323843297 -0300
+@@ -646,8 +646,8 @@
+ return (v && invisible_p (v) == 0 && var_isset (v) ? TRUE : FALSE);
+
+ case 'R':
+- v = find_variable (arg);
+- return (v && invisible_p (v) == 0 && var_isset (v) && nameref_p (v) ? TRUE : FALSE);
++ v = find_variable_noref (arg);
++ return ((v && invisible_p (v) == 0 && var_isset (v) && nameref_p (v)) ? TRUE : FALSE);
+ }
+
+ /* We can't actually get here, but this shuts up gcc. */
+@@ -723,6 +723,7 @@
+ case 'o': case 'p': case 'r': case 's': case 't':
+ case 'u': case 'v': case 'w': case 'x': case 'z':
+ case 'G': case 'L': case 'O': case 'S': case 'N':
++ case 'R':
+ return (1);
+ }
+
+diff -Nura bash-4.3/trap.c bash-4.3.pl27/trap.c
+--- bash-4.3/trap.c 2014-02-05 12:03:21.000000000 -0300
++++ bash-4.3.pl27/trap.c 2014-09-28 08:13:40.323843297 -0300
+@@ -920,7 +920,8 @@
+ subst_assign_varlist = 0;
+
+ #if defined (JOB_CONTROL)
+- save_pipeline (1); /* XXX only provides one save level */
++ if (sig != DEBUG_TRAP) /* run_debug_trap does this */
++ save_pipeline (1); /* XXX only provides one save level */
+ #endif
+
+ /* If we're in a function, make sure return longjmps come here, too. */
+@@ -940,7 +941,8 @@
+ trap_exit_value = last_command_exit_value;
+
+ #if defined (JOB_CONTROL)
+- restore_pipeline (1);
++ if (sig != DEBUG_TRAP) /* run_debug_trap does this */
++ restore_pipeline (1);
+ #endif
+
+ subst_assign_varlist = save_subst_varlist;
+diff -Nura bash-4.3/variables.c bash-4.3.pl27/variables.c
+--- bash-4.3/variables.c 2014-02-14 13:55:12.000000000 -0300
++++ bash-4.3.pl27/variables.c 2014-09-28 08:14:07.486767564 -0300
+@@ -83,6 +83,11 @@
+
+ #define ifsname(s) ((s)[0] == 'I' && (s)[1] == 'F' && (s)[2] == 'S' && (s)[3] == '\0')
+
++#define BASHFUNC_PREFIX "BASH_FUNC_"
++#define BASHFUNC_PREFLEN 10 /* == strlen(BASHFUNC_PREFIX */
++#define BASHFUNC_SUFFIX "%%"
++#define BASHFUNC_SUFFLEN 2 /* == strlen(BASHFUNC_SUFFIX) */
++
+ extern char **environ;
+
+ /* Variables used here and defined in other files. */
+@@ -279,7 +284,7 @@
+ static void propagate_temp_var __P((PTR_T));
+ static void dispose_temporary_env __P((sh_free_func_t *));
+
+-static inline char *mk_env_string __P((const char *, const char *));
++static inline char *mk_env_string __P((const char *, const char *, int));
+ static char **make_env_array_from_var_list __P((SHELL_VAR **));
+ static char **make_var_export_array __P((VAR_CONTEXT *));
+ static char **make_func_export_array __P((void));
+@@ -349,24 +354,33 @@
+
+ /* If exported function, define it now. Don't import functions from
+ the environment in privileged mode. */
+- if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
++ if (privmode == 0 && read_but_dont_execute == 0 &&
++ STREQN (BASHFUNC_PREFIX, name, BASHFUNC_PREFLEN) &&
++ STREQ (BASHFUNC_SUFFIX, name + char_index - BASHFUNC_SUFFLEN) &&
++ STREQN ("() {", string, 4))
+ {
+- string_length = strlen (string);
+- temp_string = (char *)xmalloc (3 + string_length + char_index);
++ size_t namelen;
++ char *tname; /* desired imported function name */
+
+- strcpy (temp_string, name);
+- temp_string[char_index] = ' ';
+- strcpy (temp_string + char_index + 1, string);
++ namelen = char_index - BASHFUNC_PREFLEN - BASHFUNC_SUFFLEN;
+
+- if (posixly_correct == 0 || legal_identifier (name))
+- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
++ tname = name + BASHFUNC_PREFLEN; /* start of func name */
++ tname[namelen] = '\0'; /* now tname == func name */
++
++ string_length = strlen (string);
++ temp_string = (char *)xmalloc (namelen + string_length + 2);
+
+- /* Ancient backwards compatibility. Old versions of bash exported
+- functions like name()=() {...} */
+- if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+- name[char_index - 2] = '\0';
++ memcpy (temp_string, tname, namelen);
++ temp_string[namelen] = ' ';
++ memcpy (temp_string + namelen + 1, string, string_length + 1);
++
++ /* Don't import function names that are invalid identifiers from the
++ environment, though we still allow them to be defined as shell
++ variables. */
++ if (absolute_program (tname) == 0 && (posixly_correct == 0 || legal_identifier (tname)))
++ parse_and_execute (temp_string, tname, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+
+- if (temp_var = find_function (name))
++ if (temp_var = find_function (tname))
+ {
+ VSETATTR (temp_var, (att_exported|att_imported));
+ array_needs_making = 1;
+@@ -379,12 +393,11 @@
+ array_needs_making = 1;
+ }
+ last_command_exit_value = 1;
+- report_error (_("error importing function definition for `%s'"), name);
++ report_error (_("error importing function definition for `%s'"), tname);
+ }
+
+- /* ( */
+- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
+- name[char_index - 2] = '('; /* ) */
++ /* Restore original suffix */
++ tname[namelen] = BASHFUNC_SUFFIX[0];
+ }
+ #if defined (ARRAY_VARS)
+ # if ARRAY_EXPORT
+@@ -2197,10 +2210,7 @@
+ /* local foo; local foo; is a no-op. */
+ old_var = find_variable (name);
+ if (old_var && local_p (old_var) && old_var->context == variable_context)
+- {
+- VUNSETATTR (old_var, att_invisible); /* XXX */
+- return (old_var);
+- }
++ return (old_var);
+
+ was_tmpvar = old_var && tempvar_p (old_var);
+ /* If we're making a local variable in a shell function, the temporary env
+@@ -2963,7 +2973,7 @@
+ var->context = variable_context; /* XXX */
+
+ INVALIDATE_EXPORTSTR (var);
+- var->exportstr = mk_env_string (name, value);
++ var->exportstr = mk_env_string (name, value, 0);
+
+ array_needs_making = 1;
+
+@@ -3861,21 +3871,42 @@
+ /* **************************************************************** */
+
+ static inline char *
+-mk_env_string (name, value)
++mk_env_string (name, value, isfunc)
+ const char *name, *value;
++ int isfunc;
+ {
+- int name_len, value_len;
+- char *p;
++ size_t name_len, value_len;
++ char *p, *q;
+
+ name_len = strlen (name);
+ value_len = STRLEN (value);
+- p = (char *)xmalloc (2 + name_len + value_len);
+- strcpy (p, name);
+- p[name_len] = '=';
++
++ /* If we are exporting a shell function, construct the encoded function
++ name. */
++ if (isfunc && value)
++ {
++ p = (char *)xmalloc (BASHFUNC_PREFLEN + name_len + BASHFUNC_SUFFLEN + value_len + 2);
++ q = p;
++ memcpy (q, BASHFUNC_PREFIX, BASHFUNC_PREFLEN);
++ q += BASHFUNC_PREFLEN;
++ memcpy (q, name, name_len);
++ q += name_len;
++ memcpy (q, BASHFUNC_SUFFIX, BASHFUNC_SUFFLEN);
++ q += BASHFUNC_SUFFLEN;
++ }
++ else
++ {
++ p = (char *)xmalloc (2 + name_len + value_len);
++ memcpy (p, name, name_len);
++ q = p + name_len;
++ }
++
++ q[0] = '=';
+ if (value && *value)
+- strcpy (p + name_len + 1, value);
++ memcpy (q + 1, value, value_len + 1);
+ else
+- p[name_len + 1] = '\0';
++ q[1] = '\0';
++
+ return (p);
+ }
+
+@@ -3961,7 +3992,7 @@
+ /* Gee, I'd like to get away with not using savestring() if we're
+ using the cached exportstr... */
+ list[list_index] = USE_EXPORTSTR ? savestring (value)
+- : mk_env_string (var->name, value);
++ : mk_env_string (var->name, value, function_p (var));
+
+ if (USE_EXPORTSTR == 0)
+ SAVE_EXPORTSTR (var, list[list_index]);
+diff -Nura bash-4.3/y.tab.c bash-4.3.pl27/y.tab.c
+--- bash-4.3/y.tab.c 2014-02-11 12:57:47.000000000 -0300
++++ bash-4.3.pl27/y.tab.c 2014-09-28 08:14:06.096720267 -0300
+@@ -4736,7 +4736,7 @@
+ not already end in an EOF character. */
+ if (shell_input_line_terminator != EOF)
+ {
+- if (shell_input_line_size < SIZE_MAX && shell_input_line_len > shell_input_line_size - 3)
++ if (shell_input_line_size < SIZE_MAX-3 && (shell_input_line_len+3 > shell_input_line_size))
+ shell_input_line = (char *)xrealloc (shell_input_line,
+ 1 + (shell_input_line_size += 2));
+
+@@ -4954,7 +4954,7 @@
+ int r;
+
+ r = 0;
+- while (need_here_doc)
++ while (need_here_doc > 0)
+ {
+ parser_state |= PST_HEREDOC;
+ make_here_document (redir_stack[r++], line_number);
+@@ -5265,6 +5265,8 @@
+ FREE (word_desc_to_read);
+ word_desc_to_read = (WORD_DESC *)NULL;
+
++ eol_ungetc_lookahead = 0;
++
+ current_token = '\n'; /* XXX */
+ last_read_token = '\n';
+ token_to_read = '\n';
+@@ -5710,7 +5712,7 @@
+ within a double-quoted ${...} construct "an even number of
+ unescaped double-quotes or single-quotes, if any, shall occur." */
+ /* This was changed in Austin Group Interp 221 */
+- if MBTEST(posixly_correct && shell_compatibility_level > 41 && dolbrace_state != DOLBRACE_QUOTE && (flags & P_DQUOTE) && (flags & P_DOLBRACE) && ch == '\'')
++ if MBTEST(posixly_correct && shell_compatibility_level > 41 && dolbrace_state != DOLBRACE_QUOTE && dolbrace_state != DOLBRACE_QUOTE2 && (flags & P_DQUOTE) && (flags & P_DOLBRACE) && ch == '\'')
+ continue;
+
+ /* Could also check open == '`' if we want to parse grouping constructs
+@@ -8387,6 +8389,7 @@
+
+ ps->expand_aliases = expand_aliases;
+ ps->echo_input_at_read = echo_input_at_read;
++ ps->need_here_doc = need_here_doc;
+
+ ps->token = token;
+ ps->token_buffer_size = token_buffer_size;
+@@ -8435,6 +8438,7 @@
+
+ expand_aliases = ps->expand_aliases;
+ echo_input_at_read = ps->echo_input_at_read;
++ need_here_doc = ps->need_here_doc;
+
+ FREE (token);
+ token = ps->token;
+@@ -8537,4 +8541,3 @@
+ }
+ }
+ #endif /* HANDLE_MULTIBYTE */
+-
projects / buildroot.git / commitdiff