Re: Bash security issue

[Nick Bowler]

On 2014-09-29 15:24 +0200, Ralf Corsepius wrote:
> On 09/29/2014 03:13 PM, Eric Blake wrote:
> > The whole point of the Shell Shock bug is that there are some values
> > that you cannot safely export, because doing so risks your child
> > misbehaving.  As we cannot predict which child processes will be run
> > during config.status, configure scripts may indeed be vulnerable.
>
> Do you have proof or is this just paranoia/hysteria?

It's pretty simple: current versions bash will fail to import any
variable whose value starts with the 4-character sequence '() {'.

  % myvar='() {'; export myvar
  % dash -c 'echo hello, ${myvar+"myvar is set"}'
  myvar is set
  % posh -c 'echo hello, ${myvar+"myvar is set"}'
  myvar is set
  % mksh -c 'echo hello, ${myvar+"myvar is set"}'
  myvar is set
  % jsh -c 'echo hello, ${myvar+"myvar is set"}'
  myvar is set
  % zsh -c 'echo hello, ${myvar+"myvar is set"}'
  myvar is set
  % bash -c 'echo hello, ${myvar+"myvar is set"}'
  bash: myvar: line 1: syntax error: unexpected end of file
  bash: error importing function definition for `myvar'
  hello,

Now admittedly this is a pretty obscure limitation, but particularly
if the input comes from the user, it represents a rather arbitrary
restriction on what can be entered.

Cheers,
-- 
Nick Bowler, Elliptic Technologies (http://www.elliptictech.com/)