[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] docs: mention that not all values can be exported
From: |
Zack Weinberg |
Subject: |
Re: [PATCH] docs: mention that not all values can be exported |
Date: |
Mon, 29 Sep 2014 10:44:36 -0400 |
On Sat, Sep 27, 2014 at 8:26 PM, Eric Blake <address@hidden> wrote:
> There has been a LOT of news about bash's Shell Shock bug lately.
> Document some of the ramifications it has on portable scripting.
I think this is a good idea in the abstract, but I think it's maybe a
little too specific to this particular incident. Can I suggest
instead
+Posix requires @command{export} to work with any arbitrary value for the
+contents of the variable being exported. However, some shells have extensions
+that involve interpreting some values specially. We currently know of only one
+case: all versions of Bash released prior to 27 September 2014 interpret
+an environment variable whose value begins with @code{() @{} as a shell
+function definition. (This is the ``Shellshock'' bug, CVE-2014-6271; it was
+possible to exploit the parser and cause code to execute immediately upon
+shell startup. Newer versions of Bash use special environment variable
address@hidden to implement the same feature.)