[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
sniffing for shellshock [was: Autoconf Digest, Vol 125, Issue 22]
|
From: |
Eric Blake |
|
Subject: |
sniffing for shellshock [was: Autoconf Digest, Vol 125, Issue 22] |
|
Date: |
Mon, 29 Sep 2014 07:11:09 -0600 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 |
On 09/28/2014 11:02 AM, David A. Wheeler wrote:
> Eric Blake <address@hidden> posted on Sat, 27 Sep 2014 18:26:43 -0600:
>> There has been a LOT of news about bash's Shell Shock bug lately.
>> Document some of the ramifications it has on portable scripting.
>
> Documenting this seems reasonable.
Thanks; I'll push my patch soon.
>
>> I'm still debating about adding a sniffer to configure scripts that
>> warns users if they still have a vulnerable bash on their system,
>
> I think it'd be reasonable to add some basic detections for easy cases.
Here's a fairly easy test:
export x='() { :; }'
y=`bash -c 'echo "$x"'`
if test "x$x" != "x$y"; then
echo "The first bash on your \$PATH is vulnerable to Shell Shock"
fi
(of course, I'd tweak it to fit in more with Autoconf style). But the
point is that ALL we have to check for is whether the shell FAILS to
export a normal variable as a normal variable, not whether functions get
auto-instantiated.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature