oss-sec mailing list archives
Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability)
From: Bernhard Hermann <bernhard.hermann () gmail com>
Date: Fri, 26 Sep 2014 15:37:52 +0200
On Sep 26, 2014 2:48 PM, "John Haxby" <john.haxby () oracle com> wrote:
Sufficiently unusual, I'd venture, that it should not be done implicitly. Florian's "BASH_FUNC_x()" makes it easier to blacklist these environment variables and ensures that a web server's HTTP_ prefix will not just create an oddly named function ... is that enough? Should bash simply make importing functions something that one has to ask for explicitly as Christos Zoulas (and others) suggested[1]?
I strongly believe that it should have been implemented this way from the start. Can anyone argument why making the import of functions explicit might be unwanted in any use case? Importing implicitly looks to me like buying powdered drugs from anonymous shady street dealers - there's a slim chance you might get what you wanted, but the odds (& esp. implications) of getting something toxic "from your environment" are most probably higher. best regards, Bernhard Hermann
Current thread:
- Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Mark R Bannister (Sep 26)
- <Possible follow-ups>
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Hanno Böck (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Florian Weimer (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) John Haxby (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Bernhard Hermann (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Christos Zoulas (Sep 26)
- Re: Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Bryan Drewery (Sep 26)
- Re: Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Bryan Drewery (Sep 28)
- Re: Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Loganaden Velvindron (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Giles Coochey (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Michal Zalewski (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Michal Zalewski (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Osmond Sun (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Chet Ramey (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Kobrin, Eric (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) John Haxby (Sep 26)