From: Skip Tavakkolian <skip.tavakkolian@gmail.com>
To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>
Subject: Re: [9fans] shell functions
Date: Fri, 26 Sep 2014 09:44:49 -0700 [thread overview]
Message-ID: <CAJSxfmJziKuERcDs6H+6bs5CVjfNv_Ddq1vbo75eqiViQyXSCQ@mail.gmail.com> (raw)
In-Reply-To: <20140926163212.Horde.kuocVrN6KLWBJ9UPAJ0X3Q1@ssl.eumx.net>
[-- Attachment #1: Type: text/plain, Size: 1392 bytes --]
you misrepresent. rsc addressed the non-web-centric issue:
> I don't think it is super important to try to make rc defend against
malicious environments, any more than
> it is to make it somehow defend against malicious $paths. If those are
security-relevant, you've already lost.
On Fri, Sep 26, 2014 at 9:32 AM, Kurt H Maier <khm@sciops.net> wrote:
> Quoting Russ Cox <rsc@swtch.com>:
>
> The right fix is to eliminate all possible interaction between (1) and
>> (2).
>> The first public fix focused instead on making (1) more robust, and guess
>> what, it wasn't good enough and now there is a *second* CVE about this
>> problem, and a *second* attempt at making (1) more robust. It is almost
>> certainly too late to change CGI, but bash could be changed to just ignore
>> CGI's variables (HTTP_*), and I hope that's what will eventually happen.
>> I'm not holding my breath: I bet we'll see a cascade of patches trying to
>> make this interaction "safe" instead of removing it.
>>
>>
> This is a heartbreakingly web-centric view of these issues. The real
> problem is that bash was evaling stuff that had () { in it, and it is
> very, very much not relegated to CGI use. There are exploits in the
> wild for both DHCP and ssh.
>
> Obviously bash is an awful shell, but munging it for apache is not the
> right answer to anything.
>
> khm
>
>
>
>
[-- Attachment #2: Type: text/html, Size: 2280 bytes --]
next prev parent reply other threads:[~2014-09-26 16:44 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAL0h+tWUCrwWoTSeLz+Kx1yqKwKqwDBZZbH7fLe-PWXjLSgWWw@mail.gmail.com>
2014-09-26 15:54 ` Russ Cox
2014-09-26 16:32 ` [9fans] " Kurt H Maier
2014-09-26 16:44 ` Skip Tavakkolian [this message]
2014-09-26 16:55 ` Kurt H Maier
2014-09-29 15:30 ` Russ Cox
2014-09-26 16:48 ` Bakul Shah
2014-09-27 14:40 ` Christian Neukirchen
2014-09-28 7:00 ` arisawa
2014-09-28 9:39 ` Richard Miller
2014-09-29 13:03 ` arisawa
2014-09-29 13:20 ` Charles Forsyth
2014-10-01 9:37 ` arisawa
2014-09-29 18:05 ` erik quanstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAJSxfmJziKuERcDs6H+6bs5CVjfNv_Ddq1vbo75eqiViQyXSCQ@mail.gmail.com \
--to=skip.tavakkolian@gmail.com \
--cc=9fans@9fans.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).