Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 28 Sep 2014 21:13:22 +1000
From: Michael Samuel <mik@...net.net>
To: oss-security@...ts.openwall.com
Cc: Chester Ramey <chet.ramey@...e.edu>
Subject: Re: Fwd: Non-upstream patches for bash

On 28 September 2014 01:06, Solar Designer <solar@...nwall.com> wrote:
> This also means that we should treat any programs that generate bash
> scripts with (sanitized) untrusted input in them as unsafe, and patch
> those to use safer mechanisms to pass (sanitized) inputs to scripts
> (preferably use env vars with fixed names).

The problem with this approach is that a sh is useful for both system(3)
and wrapping things like java.

This problem came up because bash was parsing environment variables
even when the script wasn't referencing them.  I don't think anyone lets
network users set completely arbitrary environment variable names.

I think Debian's approach of dash as /bin/sh, and bash as an interactive
shell is the right balance.

I switched a Fedora box to using dash as /bin/sh, and so far have only
logged one bug for something that broke, and it pretty much deserved
to break (BZ #1146733).

Regards,
  Michael

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.