[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Issues with exported functions
|
From: |
Ángel González |
|
Subject: |
Re: Issues with exported functions |
|
Date: |
Mon, 29 Sep 2014 20:45:52 +0200 |
Chet Ramey wrote:
> On 9/28/14, 12:31 PM, Ángel González wrote:
>
> > There's also the middleground of not parsing the environment variables
> > before they are going to be used. That avoids the issues caused by
> > parsing what is not needed *and* doesn't break backwards compatibility.
> > See the patch I sent a couple days ago.
>
> That's a reasonably elegant extension, but it doesn't really solve the
> problem any better than fixing the underlying parser problem.
You still have to fix the parser, obviously. It reduces the attack
surface for parsed-but-not-executed functions (and I expect a
performance improvement, too).
> A user who can figure out how to pass a function with the appropriate name
> encoding,
> which at this point nobody has figured out to do remotely, can more than
> likely arrange for that function to be called, at which point it will be
> parsed and any underlying parser bug exposed.
Or he can simply put the code to be executed inside the function to be called.
There's no merit in exploiting a parser bug in the exported variable grep
(before
patch 27) if the bash script executes grep.
Re: Issues with exported functions, becker . rg, 2014/09/27