[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] docs: mention that not all values can be exported
|
From: |
Nick Bowler |
|
Subject: |
Re: [PATCH] docs: mention that not all values can be exported |
|
Date: |
Mon, 29 Sep 2014 12:03:54 -0400 |
|
User-agent: |
Mutt/1.5.22 (2013-10-16) |
On 2014-09-27 18:26 -0600, Eric Blake wrote:
> There has been a LOT of news about bash's Shell Shock bug lately.
> Document some of the ramifications it has on portable scripting.
[..]
> +Posix requires @command{export} to work with any arbitrary value for the
> +contents of the variable being exported, but some versions of Bash
> +(including all builds prior to September 2014) are vulnerable to the
> +``Shell Shock'' remote execution bug (CVE-2014-6271 and friends), where
> +exporting a variable with the initial substring of @code{() @{} could
> +trigger a number of undesirable behaviors at the startup of a child
> +bash. Bash has an extension that allows the export of function
> +definitions, but this is not portable to other shells.
Hm, this text seems a bit unclear... the problem is not "export", but in
the way bash startup assigns shell variables from the environment. POSIX
doesn't say very much about how this process is supposed to work. As
far as I can see, it just says:
"[shell] variables shall be initialized from the environment ... if a
variable was initialized from the environment, it shall be marked for
export immediately".
Nevertheless, we can export these values in bash just fine, and they
will be correctly written to the environment:
% cat >test.sh <<'EOF'
foo='() {'
echo "$foo"
export foo
dash -c 'echo "$foo"'
EOF
% bash test.sh
() {
() {
Cheers,
--
Nick Bowler, Elliptic Technologies (http://www.elliptictech.com/)