Re: Shellshock timeline

[Eric Blake <eblake () redhat com>]

On 10/03/2014 04:10 PM, Eric Blake wrote:
> On 10/03/2014 01:28 PM, David A. Wheeler wrote:
> > FYI, I've created a timeline of major Shellshock events here:
> >
> >   http://www.dwheeler.com/essays/shellshock.html#timeline
> >
> > If anyone has corrections or key additions, let me know.

In section 1.2, you mention that Florian suggested suffix additions; but
he was not alone in the suggestion; I also independently came up with
the idea (primarily because patch 25 included a change to a comment line
that mentioned the past attempt to use a suffix):

https://lists.gnu.org/archive/html/bug-bash/2014-09/msg00094.html 24 Sep
2014 15:38:31 -0600

My arguments at the time were based more on namespace pollution
considerations (what happens when a function name and variable name
collide), and it wasn't until later that I learned that the oss-security
list was discussing ramifications of the fact that ANY parser bug is a
major hole if untrusted user data is unconditionally presented to the
parser, without regards to namespace pollution.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature