On 2014-09-29 15:24 +0200, Ralf Corsepius wrote:
> On 09/29/2014 03:13 PM, Eric Blake wrote:
> > The whole point of the Shell Shock bug is that there are some values
> > that you cannot safely export, because doing so risks your child
> > misbehaving. As we cannot predict which child processes will be run
> > during config.status, configure scripts may indeed be vulnerable.
>
> Do you have proof or is this just paranoia/hysteria?
It's pretty simple: current versions bash will fail to import any
variable whose value starts with the 4-character sequence '() {'.
% myvar='() {'; export myvar
% dash -c 'echo hello, ${myvar+"myvar is set"}'
myvar is set
% posh -c 'echo hello, ${myvar+"myvar is set"}'
myvar is set
% mksh -c 'echo hello, ${myvar+"myvar is set"}'
myvar is set
% jsh -c 'echo hello, ${myvar+"myvar is set"}'
myvar is set
% zsh -c 'echo hello, ${myvar+"myvar is set"}'
myvar is set
% bash -c 'echo hello, ${myvar+"myvar is set"}'
bash: myvar: line 1: syntax error: unexpected end of file
bash: error importing function definition for `myvar'
hello,
Now admittedly this is a pretty obscure limitation, but particularly
if the input comes from the user, it represents a rather arbitrary
restriction on what can be entered.
Cheers,
--
Nick Bowler, Elliptic Technologies (http://www.elliptictech.com/)
_______________________________________________
Autoconf mailing list
Autoconf@gnu.org
https://lists.gnu.org/mailman/listinfo/autoconf
