Re: Bash security issue

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bash security issue

From:	Linda Walsh
Subject:	Re: Bash security issue
Date:	Sat, 27 Sep 2014 09:05:54 -0700
User-agent:	Thunderbird



Eric Blake wrote:


What prevents BASH_FUNC_foo = '(){ :; ...';


Nothing, as you wrote it, because you have no () on the left of the
equal.

----
Then what is wrong with
foo()={ :; ... ;}... That cannot be a legal variable name either.

Other languages like PERL rely on ENV vars and will fail badly if
something messes with the ENV.  (Try making perl with
PERL5OPT='-Mutf8 -CSA -I/home/mylib').  If you mess with the env
prior to a interpreter that depends on the ENV, its going to cause
problems and it will be a short while before exploits can be developed
from such.

Besides, if you want to make it illegal, why not ƒfoo:{function def}
That makes for an impossible ENVvar AND only costs 1 more byte of memory
than adding 10 bytes.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Bash security issue, (continued)

Prev by Date: Re: Issues with exported functions
Next by Date: Re: REGRESSION: shellshock patch rejects valid function names
Previous by thread: Re: Bash security issue
Next by thread: Re: Bash security issue
Index(es):
- Date
- Thread