[TUHS] Interesting post by Rob Pike in 1985: Shells, features and interaction

The Unix Heritage Society mailing list
 help / color / mirror / Atom feed

From: random832@fastmail.com (Random832)
Subject: [TUHS] Interesting post by Rob Pike in 1985: Shells, features and interaction
Date: Wed, 18 Nov 2015 00:36:28 -0500	[thread overview]
Message-ID: <m2bnarvpgj.fsf@fastmail.com> (raw)
In-Reply-To: <7694.1447811788@cesium.clock.org>

"Erik E. Fair" <fair-tuhs at netbsd.org>
writes:
> That function export feature of bash was not the cause of the
> Shellshock vulnerability.
>
> The cause was idiot programmers who wrote CGI scripts for bash
> without proper data sanitization.

The manner in which bash (pre-shellshock) imported functions from the
environment, along with the vulnerability, made "proper data
sanitization" flatly impossible without deep knowledge of what kind of
strings it was looking for. It would import functions from absolutely
any variable, with any name, including variables explicitly designated
in the protocols involved to hold untrusted remote data.

Removing text in a format that triggers a feature of a particular shell
from HTTP_COOKIE is absolutely not the CGI script's responsibility (the
bug triggers before the script gets to execute a single line), and I
would argue it's not the HTTP server's problem either.

And if the bash feature had been implemented correctly, it would have
been mostly harmless (The remote client could still have caused a
function called HTTP_COOKIE to be defined, but the script's almost
certainly not going to execute it)

     prev parent reply	other threads:[~2015-11-18  5:36 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-17 22:55 Random832
2015-11-18  0:38 ` Random832
2015-11-18  0:50 ` Brantley Coile
2015-11-18 12:47   ` Christian Neukirchen
2015-11-18  1:56 ` Erik E. Fair
2015-11-18  5:15   ` Kurt H Maier
2015-11-18  5:36   ` Random832 [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=m2bnarvpgj.fsf@fastmail.com \
    --to=random832@fastmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).