Date: Sat, 27 Sep 2014 14:20:36 -0400 From: Chet Ramey <chet.ramey@...e.edu> To: Tavis Ormandy <taviso@...xchg8b.com>, Florian Weimer <fw@...eb.enyo.de> CC: chet.ramey@...e.edu, Michal Zalewski <lcamtuf@...edump.cx>, Solar Designer <solar@...nwall.com>, oss-security@...ts.openwall.com Subject: Re: CVE-2014-6271: remote code execution through bash On 9/27/14, 2:17 PM, Chet Ramey wrote: > So what's your opinion on the appropriate set of restrictions? This is a > question that goes farther than what a particular shell will import, > since I'm going to align the restrictions on what functions a shell will > import from the environment with what functions that shell will let a > user define. That means that a posix-mode shell will require imported > functions to be valid identifiers, but a non-posix mode shell will allow > words. The original check that was in bash-4.3 does this. What additional > checks should there be? I can see starting with rejecting function names > that can be confused with pathnames. > > Please chime in and let me know what you think. Sorry, I should have added that I'm not interested in rehashing decisions that were made 25 years ago, and I am completely aware that this "violates" Posix. (That's why it doesn't do this in posix mode.) Chet -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, ITS, CWRU chet@...e.edu http://cnswww.cns.cwru.edu/~chet/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.