Date: Sun, 28 Sep 2014 21:13:22 +1000 From: Michael Samuel <mik@...net.net> To: oss-security@...ts.openwall.com Cc: Chester Ramey <chet.ramey@...e.edu> Subject: Re: Fwd: Non-upstream patches for bash On 28 September 2014 01:06, Solar Designer <solar@...nwall.com> wrote: > This also means that we should treat any programs that generate bash > scripts with (sanitized) untrusted input in them as unsafe, and patch > those to use safer mechanisms to pass (sanitized) inputs to scripts > (preferably use env vars with fixed names). The problem with this approach is that a sh is useful for both system(3) and wrapping things like java. This problem came up because bash was parsing environment variables even when the script wasn't referencing them. I don't think anyone lets network users set completely arbitrary environment variable names. I think Debian's approach of dash as /bin/sh, and bash as an interactive shell is the right balance. I switched a Fedora box to using dash as /bin/sh, and so far have only logged one bug for something that broke, and it pretty much deserved to break (BZ #1146733). Regards, Michael
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ