Date: Sat, 27 Sep 2014 16:09:51 -0400 From: Chet Ramey <chet.ramey@...e.edu> To: Michal Zalewski <lcamtuf@...edump.cx> CC: chet.ramey@...e.edu, Tavis Ormandy <taviso@...xchg8b.com>, Florian Weimer <fw@...eb.enyo.de>, Solar Designer <solar@...nwall.com>, oss-security@...ts.openwall.com Subject: Re: CVE-2014-6271: remote code execution through bash On 9/27/14, 3:39 PM, Michal Zalewski wrote: >> STD::what::does::this::do > > We ran into this problem with the original patch at Google, but TBH, > we've just bitten the bullet. > > I'm not sure how hard we should try to accommodate outliers like this > specifically for functions - as far as I can tell, you can't really > get away with meaningfully using colons in variable names, right? But > if you just want to minimize breakage without getting into existential > discussions, wouldn't wihtelisting : and perhaps periods and - going > out on a limb - brackets be good enough? We already make function names and variable names different, so there's no going back -- variable names have the usual restrictions, but with function names it's essentially anything goes. Since we would be going from essentially anything goes to a very small set of acceptable exceptions, I can see a steady stream of "I used to be able to use character X in my function names and can't now." Frankly, the really dangerous one is `/', since it allows you to circumvent scripts that attempt to use full pathnames to bypass shell function lookups. I am more interested in other dangerous characters, the existential debate between whitelists and blacklists notwithstanding. Chet -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, ITS, CWRU chet@...e.edu http://cnswww.cns.cwru.edu/~chet/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.