From 3ee228b79775a7ac221d12a7a1bb4f39435ac4c6 Mon Sep 17 00:00:00 2001
From: Siteshwar Vashisht <svashisht@redhat.com>
Date: Thu, 29 May 2025 13:36:03 +0200
Subject: [PATCH] Disable unescaped slashes in bracket expressions

Resolves: RHEL-92267

Signed-off-by: Siteshwar Vashisht <svashisht@redhat.com>
---
 bash-5.0-glob-disable-slash.patch | 40 +++++++++++++++++++++++++++++++
 bash.spec                         |  9 ++++++-
 2 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 bash-5.0-glob-disable-slash.patch

diff --git a/bash-5.0-glob-disable-slash.patch b/bash-5.0-glob-disable-slash.patch
new file mode 100644
index 0000000..ebee0c6
--- /dev/null
+++ b/bash-5.0-glob-disable-slash.patch
@@ -0,0 +1,40 @@
+diff --git a/pathexp.c b/pathexp.c
+--- a/pathexp.c
++++ b/pathexp.c
+@@ -58,7 +58,10 @@ int extended_glob = EXTGLOB_DEFAULT;
+ /* Control enabling special handling of `**' */
+ int glob_star = 0;
+ 
+-/* Return nonzero if STRING has any unquoted special globbing chars in it.  */
++/* Return nonzero if STRING has any unquoted special globbing chars in it.
++   This is supposed to be called when pathname expansion is performed, so
++   it implements the rules in Posix 2.13.3, specifically that an unquoted
++   slash cannot appear in a bracket expression. */
+ int
+ unquoted_glob_pattern_p (string)
+      register char *string;
+@@ -89,6 +92,10 @@ unquoted_glob_pattern_p (string)
+ 	    return (1);
+ 	  continue;
+ 
++	case '/':
++	  if (open)
++	    open = 0;
++
+ 	case '+':
+ 	case '@':
+ 	case '!':
+@@ -98,7 +105,12 @@ unquoted_glob_pattern_p (string)
+ 
+ 	case CTLESC:
+ 	case '\\':
+-	  if (*string++ == '\0')
++	  if (open && *string == '/')
++	    {
++	      string++;		/* quoted slashes in bracket expressions are ok */
++	      continue;
++	    }
++      else if (*string++ == '\0')
+ 	    return (0);
+ 	}
+ 
diff --git a/bash.spec b/bash.spec
index 3e649cc..f5e1e22 100644
--- a/bash.spec
+++ b/bash.spec
@@ -7,7 +7,7 @@
 Version: %{baseversion}%{patchleveltag}
 Name: bash
 Summary: The GNU Bourne Again shell
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv3+
 Url: https://www.gnu.org/software/bash
 Source0: https://ftp.gnu.org/gnu/bash/bash-%{baseversion}.tar.gz
@@ -120,6 +120,9 @@ Patch139: bash-4.4-fix-buffered_getchar-crash.patch
 # Enable audit logs
 Patch140: bash-4.3-audit.patch
 
+# Disable unescaped slashes in bracket expressions
+Patch141: bash-5.0-glob-disable-slash.patch
+
 BuildRequires: texinfo bison
 BuildRequires: ncurses-devel
 BuildRequires: autoconf, gettext
@@ -344,6 +347,10 @@ end
 %{_libdir}/pkgconfig/%{name}.pc
 
 %changelog
+* Thu May 29 2025 Siteshwar Vashisht <svashisht@redhat.com> - 4.4.20-6
+- Disable unescaped slashes in bracket expressions
+  Resolves: RHEL-92267
+
 * Fri Feb 09 2024 Siteshwar Vashisht <svashisht@redhat.com> - 4.4.20-5
 - Restore audit logs in bash-4.3 or newer versions
   Resolves: RHEL-24990