[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bash security issue
From: |
Nick Bowler |
Subject: |
Re: Bash security issue |
Date: |
Mon, 29 Sep 2014 11:44:37 -0400 |
User-agent: |
Mutt/1.5.22 (2013-10-16) |
On 2014-09-29 15:24 +0200, Ralf Corsepius wrote:
> On 09/29/2014 03:13 PM, Eric Blake wrote:
> > The whole point of the Shell Shock bug is that there are some values
> > that you cannot safely export, because doing so risks your child
> > misbehaving. As we cannot predict which child processes will be run
> > during config.status, configure scripts may indeed be vulnerable.
>
> Do you have proof or is this just paranoia/hysteria?
It's pretty simple: current versions bash will fail to import any
variable whose value starts with the 4-character sequence '() {'.
% myvar='() {'; export myvar
% dash -c 'echo hello, ${myvar+"myvar is set"}'
myvar is set
% posh -c 'echo hello, ${myvar+"myvar is set"}'
myvar is set
% mksh -c 'echo hello, ${myvar+"myvar is set"}'
myvar is set
% jsh -c 'echo hello, ${myvar+"myvar is set"}'
myvar is set
% zsh -c 'echo hello, ${myvar+"myvar is set"}'
myvar is set
% bash -c 'echo hello, ${myvar+"myvar is set"}'
bash: myvar: line 1: syntax error: unexpected end of file
bash: error importing function definition for `myvar'
hello,
Now admittedly this is a pretty obscure limitation, but particularly
if the input comes from the user, it represents a rather arbitrary
restriction on what can be entered.
Cheers,
--
Nick Bowler, Elliptic Technologies (http://www.elliptictech.com/)
- Re: Bash security issue, (continued)
- Re: Bash security issue, Shawn H Corey, 2014/09/25
- Re: Bash security issue, Ralf Corsepius, 2014/09/29
- Re: Bash security issue, Eric Blake, 2014/09/29
- Re: Bash security issue, Ralf Corsepius, 2014/09/29
- Re: Bash security issue, Paul Eggert, 2014/09/29
- Re: Bash security issue, Henrique de Moraes Holschuh, 2014/09/29
- Re: Bash security issue, Eric Blake, 2014/09/29
- Re: Bash security issue,
Nick Bowler <=
Re: Bash security issue, Bob Friesenhahn, 2014/09/25
Re: Bash security issue, Nick Bowler, 2014/09/25
- Re: Bash security issue, Eric Blake, 2014/09/25
- Re: Bash security issue, Linda Walsh, 2014/09/25
- Re: Bash security issue, Eric Blake, 2014/09/25
- Re: Bash security issue, Linda Walsh, 2014/09/26
- Re: Bash security issue, lolilolicon, 2014/09/26
- Re: Bash security issue, Zack Weinberg, 2014/09/26
- Re: Bash security issue, Eric Blake, 2014/09/26
- Re: Bash security issue, Steve Simmons, 2014/09/26