On Sunday, September 28, 2014 4:38:24 PM UTC+1, beck...@gmail.com wrote: ...... > If I use the Arch linux [testing] bash-4.3.027-1 which is uses this patch > then I have a patch against the at(1) source which converts exported > functions into something that sh can parse and allows exported functions to > be used in the environment that calls at. > .......
Jon Seymour asked me if my at patch would fix the following vulnerablity (presumably in at(1)) echo pwd | env "/tmp/exploit=me" at tomorrow which I presume relies on acceptance of /tmp/exploit=me as a possible command. I'm not sure it does since the current at code writes the variable name out unconditionally (ie no inspection of characters etc etc). I could probably raise an error for bad variable names, but I'm not sure I understand what characters are now illegal or what the lexical definition of bash/sh variable names is now. So I would appreciate advice on that.
