Chet Ramey wrote: > On 9/28/14, 12:31 PM, Ángel González wrote: > > > There's also the middleground of not parsing the environment variables > > before they are going to be used. That avoids the issues caused by > > parsing what is not needed *and* doesn't break backwards compatibility. > > See the patch I sent a couple days ago. > > That's a reasonably elegant extension, but it doesn't really solve the > problem any better than fixing the underlying parser problem.
You still have to fix the parser, obviously. It reduces the attack surface for parsed-but-not-executed functions (and I expect a performance improvement, too). > A user who can figure out how to pass a function with the appropriate name > encoding, > which at this point nobody has figured out to do remotely, can more than > likely arrange for that function to be called, at which point it will be > parsed and any underlying parser bug exposed. Or he can simply put the code to be executed inside the function to be called. There's no merit in exploiting a parser bug in the exported variable grep (before patch 27) if the bash script executes grep.
