bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bash security issue


From: Linda Walsh
Subject: Re: Bash security issue
Date: Sat, 27 Sep 2014 09:05:54 -0700
User-agent: Thunderbird



Eric Blake wrote:

What prevents BASH_FUNC_foo = '(){ :; ...';

Nothing, as you wrote it, because you have no () on the left of the
equal.
----
Then what is wrong with
foo()={ :; ... ;}... That cannot be a legal variable name either.

Other languages like PERL rely on ENV vars and will fail badly if
something messes with the ENV.  (Try making perl with
PERL5OPT='-Mutf8 -CSA -I/home/mylib').  If you mess with the env
prior to a interpreter that depends on the ENV, its going to cause
problems and it will be a short while before exploits can be developed
from such.

Besides, if you want to make it illegal, why not Ć’foo:{function def}
That makes for an impossible ENVvar AND only costs 1 more byte of memory
than adding 10 bytes.






reply via email to

[Prev in Thread] Current Thread [Next in Thread]