Re: Bug#762839: bash without importing shell functions from the environment

To: Martin Uecker <uecker@eecs.berkeley.edu>
Cc: Ian Jackson <ijackson@chiark.greenend.org.uk>, 762839@bugs.debian.org, debian-devel@lists.debian.org, team@security.debian.org
Subject: Re: Bug#762839: bash without importing shell functions from the environment
From: Matthias Urlichs <matthias@urlichs.de>
Date: Fri, 26 Sep 2014 07:52:55 +0200
Message-id: <[🔎] 20140926055255.GI6218@smurf.noris.de>
In-reply-to: <[🔎] 20140925182221.4ff545d1@lemur>
References: <[🔎] 20140925203900.GT3550@type.youpi.perso.aquilenet.fr> <[🔎] 20140925182221.4ff545d1@lemur>

Hi,

Martin Uecker:
> While everybody is looking at bash, isn't this the real the
> injection part? Why are there still programs which copy stuff
> from the network into environment without proper sanitation? 

Probably either sheer laziness, or for the usual, misguided-these-days
(IMHO) "be lenient in what you accept" reason.

In any case, there are a bunch of crazy URL schemes out there,
so who are you to decide that PATH_TRANSLATED="() {:;};rm -rf $(ls /)"
is unreasonable? Literally all of these characters occur in actual
real-world URLs, and RFC 3875 explicitly says that it may contain "any
character".

-- 
-- Matthias Urlichs

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Samuel Thibault <sthibault@debian.org>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Martin Uecker <uecker@eecs.berkeley.edu>

Prev by Date: Re: Seeking help with OpenVPN scripts and systemd
Next by Date: Re: Bug#762839: bash without importing shell functions from the environment
Previous by thread: Re: Re: Bug#762839: bash without importing shell functions from the environment
Next by thread: Re: Bug#762839: bash without importing shell functions from the environment
Index(es):
- Date
- Thread