bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: BASH_FUNC__ appearing in environment


From: steveT
Subject: Re: BASH_FUNC__ appearing in environment
Date: Thu, 27 Nov 2014 08:36:20 -0800 (PST)
User-agent: G2/1.0

On Thursday, 27 November 2014 16:23:15 UTC, Eduardo A. Bustamante López  wrote:
> On Thu, Nov 27, 2014 at 03:43:05AM -0800, steveT wrote:
> > I am not sure if this is the correct place to raise this - I have tried 
> > specific Fedora and bash forums, but with no joy so far.
> Bash forums :-)? I'm interested on knowing which ones!
> 
> > This may be expected behaviour, but it seems so random. The above seems to 
> > be related to rcs, but I also intermittently get similar entries for 
> > BASH_FUNC__sudo. I am not sure if these functions appearing in my 
> > environment poses any sort of issue - but I have never seen such entries 
> > appear before.
> > 
> > Any ideas as to what they are and why/when/how they are appearing in my 
> > environment?
> This is expected. Where were you when the shellshock crisis happened? Before
> shellshock, bash would export functions by using something like this:
> 
> $ name='(){ echo foo; }' bash -c name
> foo
> 
> But, this turned out to be a big issue, because of a bug in how bash parsed
> that function definition, which allowed bad people to do nasty stuff, like:
> 
> USER_AGENT='(){ echo foo; }; cat /etc/passwd' ...
> 
> (bash was being used for CGI scripts, which pass around some HTTP headers
> as environment variables)
> 
> This became a mess very quickly, with more and more parser bugs coming out
> that would make that bug even more dangerous, so a solution was introduced
> by RedHat variants (including Fedora, I guess), of prefixing these
> function definitions with the special 'BASH_FUNC_'. This helped reduce the
> attack surface. In the end, the official bash patch took a similar path, by
> using that prefix, but also adding a %% suffix:
> 
> dualbus@hp:~$ f(){ echo foo; }; export -f f; env|grep %% -A1
> BASH_FUNC_f%%=() {  echo foo
> }
> 
> 
> Wikipedia has an entry, if you want to read more:
> http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29

Eduardo,
Thanks for getting back to me.
I think I understood about shellshock, but what I still don't understand is why 
these 'BASH_FUNC__' variables appear intermittently - ie what is exporting them 
to the shell and why? They seem to appear randomly. At first, I thought it was 
a side effect of scripts that I had written, but the scripts that appear to get 
exported in my environment as 'BASH_FUNC__'seem to be linked to 'standard' 
'bin' commands such as rcs and sudo.
I don't recall seeing this sort of effect under Fedora 16 or 18, just under 
Fedora 20.
Is there any way that I can trace them back to their 'creator'?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]