> The expected security improvement is essentially nonexistent. In the current > case of importing functions from the environment (and we could have a looong > philosophical conversation about whether this is a vulnerability in bash or > in its callers, where the likely outcome is “not a vulnerability in bash but > by far easiest to fix in bash”)
> Why would this be a philosophical discussion when there were clearly bugs in > the parser allowing things it shouldn't even if you consider the use cases > valid otherwise? As I said in the snipped part, anyone able to submit arbitrary input to a shell can already cause it to do arbitrary things. The parser bugs do not give the attacker anything they don’t already have, so they are not security-relevant. So we are back to the philosophical discussion about where is the vulnerability in putting untrusted data into the environment. Mirek
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
