[Discuss] Shellshock

[Tom Metro]

Bill Ricker wrote:
> Yes, it's a fair point that Gnu project is older than either Apache or
> Linux, but that doesn't exempt Bash from criticism.
> 
> Alas there is both a mis-guided feature and at least one bug in the
> feature (even assuming its intent ever made any sense)  -- as well as
> the environmental / combination problems.

The age thing is a bit of a red herring, and that this came about due to
 a bug in Bash is almost irrelevant. The responsibility lies squarely
with the application that provides the network interface. It should not
be handing off unsanitized data supplied by a client to a child process.

Of course it's not that simple. We have plenty of infrastructure that
depends on doing exactly that. Take CGI for example, where form data is
piped to a child process (in addition to setting a bunch of environment
variables). But in the case of CGI you are just moving the network/local
barrier a bit further down the stack. The CGI code is written with the
expectation that the inputs are tainted.

But still, there should have been a bit more deliberate effort put into
creating a sandboxed environment for running child processes, with very
controlled paths of communication between the network and the child process.


> It was NEVER safe either. even without Apache.  Any Setuid binary
> that used system() might pass ENV to BASH...

Yes, agreed, which is why I said "almost irrelevant" above, as Bash
still had a problem that shouldn't have been there.

 -Tom

-- 
Tom Metro
The Perl Shop, Newton, MA, USA
"Predictable On-demand Perl Consulting."
http://www.theperlshop.com/