Date: Wed, 01 Oct 2014 16:27:46 +0200 From: Florian Weimer <fweimer@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: Healing the bash fork On 10/01/2014 03:32 PM, Tomas Hoger wrote: > On Tue, 30 Sep 2014 19:19:55 -0400 (EDT) David A. Wheeler wrote: > >> * Approach 1: Florian Weimer's approach. Bash functions to be >> exported have a prefix ("BASH_FUNC_") and suffix added. Then, ONLY >> environment variables with that prefix and suffix are interpreted >> specially. This approach is used by Red Hat, CentOS, Debian, Ubuntu, >> and Cygwin (at least), and was later accepted into bash upstream. >> The original approach used "()" as the suffix; bash upstream took >> this but switched to the "%%" suffix instead, which is a nice >> improvement (since "%" is not a shell metacharacter this is less >> likely to trigger OTHER problems). I know Cygwin is using the bash >> upstream '%%' suffix. > > The following indicates there is other prefix and suffix used, that > makes these incompatibility issues worse: > > http://support.apple.com/kb/HT6495 > > The names of all environment variables that introduce function > definitions are required to have a prefix "__BASH_FUNC<" and suffix > ">()" to prevent unintended function passing via HTTP headers. I initially dismissed this as a presentation artifact in the web page, but it's true, there are additional <> characters in the mangled name. I wonder what breaks as a result. At least () and %% are somewhat benign in their effect if they are used unquoted in the relevant places (error, not accidental file creation). (To be absolute clear, I do not see any security issues with Apple's choice of mangling.) -- Florian Weimer / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.