autoconf-patches
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] docs: mention that not all values can be exported


From: Zack Weinberg
Subject: Re: [PATCH] docs: mention that not all values can be exported
Date: Mon, 29 Sep 2014 10:44:36 -0400

On Sat, Sep 27, 2014 at 8:26 PM, Eric Blake <address@hidden> wrote:
> There has been a LOT of news about bash's Shell Shock bug lately.
> Document some of the ramifications it has on portable scripting.

I think this is a good idea in the abstract, but I think it's maybe a
little too specific to this particular incident.  Can I suggest
instead

+Posix requires @command{export} to work with any arbitrary value for the
+contents of the variable being exported.  However, some shells have extensions
+that involve interpreting some values specially.  We currently know of only one
+case: all versions of Bash released prior to 27 September 2014 interpret
+an environment variable whose value begins with @code{() @{} as a shell
+function definition.  (This is the ``Shellshock'' bug, CVE-2014-6271; it was
+possible to exploit the parser and cause code to execute immediately upon
+shell startup.  Newer versions of Bash use special environment variable
address@hidden to implement the same feature.)



reply via email to

[Prev in Thread] Current Thread [Next in Thread]