BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Shellshock
- Subject: [Discuss] Shellshock
- From: tmetro+blu at gmail.com (Tom Metro)
- Date: Wed, 01 Oct 2014 16:59:01 -0400
- In-reply-to: <CAAbKA3U4r-rxkAW33HPfv6FJE36rqDJx6qESbrS4r7G_VBN1Mw@mail.gmail.com>
- References: <542B5DFA.2080108@gmail.com> <542B5F49.3050500@gmail.com> <CAAbKA3U4r-rxkAW33HPfv6FJE36rqDJx6qESbrS4r7G_VBN1Mw@mail.gmail.com>
Bill Ricker wrote: > Yes, it's a fair point that Gnu project is older than either Apache or > Linux, but that doesn't exempt Bash from criticism. > > Alas there is both a mis-guided feature and at least one bug in the > feature (even assuming its intent ever made any sense) -- as well as > the environmental / combination problems. The age thing is a bit of a red herring, and that this came about due to a bug in Bash is almost irrelevant. The responsibility lies squarely with the application that provides the network interface. It should not be handing off unsanitized data supplied by a client to a child process. Of course it's not that simple. We have plenty of infrastructure that depends on doing exactly that. Take CGI for example, where form data is piped to a child process (in addition to setting a bunch of environment variables). But in the case of CGI you are just moving the network/local barrier a bit further down the stack. The CGI code is written with the expectation that the inputs are tainted. But still, there should have been a bit more deliberate effort put into creating a sandboxed environment for running child processes, with very controlled paths of communication between the network and the child process. > It was NEVER safe either. even without Apache. Any Setuid binary > that used system() might pass ENV to BASH... Yes, agreed, which is why I said "almost irrelevant" above, as Bash still had a problem that shouldn't have been there. -Tom -- Tom Metro The Perl Shop, Newton, MA, USA "Predictable On-demand Perl Consulting." http://www.theperlshop.com/
- Follow-Ups:
- [Discuss] Shellshock
- From: johnhall2.0 at gmail.com (John Hall)
- [Discuss] Shellshock
- From: bill.n1vux at gmail.com (Bill Ricker)
- [Discuss] Shellshock
- Prev by Date: [Discuss] CipherShed: TrueCrypt fork
- Next by Date: [Discuss] Need speaker and topic for October BLU meeting
- Previous by thread: [Discuss] Shellshock
- Next by thread: [Discuss] Shellshock
- Index(es):