Re: Bug#762839: bash without importing shell functions from the environment

To: debian-devel@lists.debian.org
Subject: Re: Bug#762839: bash without importing shell functions from the environment
From: Nikolaus Rath <Nikolaus@rath.org>
Date: Thu, 25 Sep 2014 17:26:40 -0700
Message-id: <[🔎] 87oau3mdkv.fsf@vostro.rath.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20140925203900.GT3550@type.youpi.perso.aquilenet.fr> (Samuel Thibault's message of "Thu, 25 Sep 2014 22:39:00 +0200")
References: <[🔎] 21540.13505.438186.122045@chiark.greenend.org.uk> <[🔎] 20140925162026.GA11755@type.bordeaux.inria.fr> <[🔎] 20140925191758.GA6306@smurf.noris.de> <[🔎] 20140925203900.GT3550@type.youpi.perso.aquilenet.fr>

Samuel Thibault <sthibault@debian.org> writes:
> Matthias Urlichs, le Thu 25 Sep 2014 21:17:58 +0200, a écrit :
>> Samuel Thibault:
>> > Sounds crazy to me.
>> > 
>> Definitely. This is now out in the wild; exploits which simply replace
>> echo or cat-without-/bin are going to happen. :-/
>
> That's not so easy to exploit. You have to manage to inject those precise
> variable names.

Wasn't there some web server that used to put query script variables
into the environment of the CGI script? Or am I confusing that with
PHP's evil register_globals?

Best,
-Nikolaus

-- 
GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F
Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

             »Time flies like an arrow, fruit flies like a Banana.«

Reply to:

Follow-Ups:
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Brian May <brian@microcomaustralia.com.au>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Samuel Thibault <sthibault@debian.org>

References:
- bash without importing shell functions from the environment
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Samuel Thibault <sthibault@debian.org>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Matthias Urlichs <matthias@urlichs.de>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Samuel Thibault <sthibault@debian.org>

Prev by Date: Re: Seeking help with OpenVPN scripts and systemd
Next by Date: Re: bash without importing shell functions from the environment
Previous by thread: Re: Bug#762839: bash without importing shell functions from the environment
Next by thread: Re: Bug#762839: bash without importing shell functions from the environment
Index(es):
- Date
- Thread