Re: CVE-2014-6271: remote code execution through bash

[Chet Ramey <chet.ramey () case edu>]

On 9/27/14, 3:39 PM, Michal Zalewski wrote:
> > STD::what::does::this::do
>
> We ran into this problem with the original patch at Google, but TBH,
> we've just bitten the bullet.
>
> I'm not sure how hard we should try to accommodate outliers like this
> specifically for functions - as far as I can tell, you can't really
> get away with meaningfully using colons in variable names, right? But
> if you just want to minimize breakage without getting into existential
> discussions, wouldn't wihtelisting : and perhaps periods and - going
> out on a limb - brackets be good enough?

We already make function names and variable names different, so there's
no going back -- variable names have the usual restrictions, but with
function names it's essentially anything goes.

Since we would be going from essentially anything goes to a very small
set of acceptable exceptions, I can see a steady stream of "I used to
be able to use character X in my function names and can't now."  Frankly,
the really dangerous one is `/', since it allows you to circumvent scripts
that attempt to use full pathnames to bypass shell function lookups.  I
am more interested in other dangerous characters, the existential debate
between whitelists and blacklists notwithstanding.

Chet
-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet () case edu    http://cnswww.cns.cwru.edu/~chet/