Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month, online, via Jitsi Meet.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Shellshock



On Wed, Oct 1, 2014 at 4:59 PM, Tom Metro <tmetro+blu at gmail.com> wrote:
> But in the case of CGI you are just moving the network/local
> barrier a bit further down the stack.

and moved it right through system() => /bin/sh => /bin/bash by alias
which last wasn't designed to be network secure.

> The CGI code is written with the
> expectation that the inputs are tainted.

alas, that paranoia (even if correctly implemented, which even Perl
Taint doesn't guarantee, only that something is tried) is only *after*
system() gives unclean ENV to bash to pass to Perl.

[ Efficient CGI implementations using pool processes and RPC for
non-spawning CGI emulation avoid *this* problem, plenty of other room
for trouble. ]

-- 
Bill Ricker
bill.n1vux at gmail.com
https://www.linkedin.com/in/n1vux



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org