Date: Sun, 28 Sep 2014 21:13:22 +1000 From: Michael Samuel <mik@...net.net> To: oss-security@...ts.openwall.com Cc: Chester Ramey <chet.ramey@...e.edu> Subject: Re: Fwd: Non-upstream patches for bash On 28 September 2014 01:06, Solar Designer <solar@...nwall.com> wrote: > This also means that we should treat any programs that generate bash > scripts with (sanitized) untrusted input in them as unsafe, and patch > those to use safer mechanisms to pass (sanitized) inputs to scripts > (preferably use env vars with fixed names). The problem with this approach is that a sh is useful for both system(3) and wrapping things like java. This problem came up because bash was parsing environment variables even when the script wasn't referencing them. I don't think anyone lets network users set completely arbitrary environment variable names. I think Debian's approach of dash as /bin/sh, and bash as an interactive shell is the right balance. I switched a Fedora box to using dash as /bin/sh, and so far have only logged one bug for something that broke, and it pretty much deserved to break (BZ #1146733). Regards, Michael
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.