[Discuss] Shellshock
Tom Metro
tmetro+blu at gmail.com
Wed Oct 1 16:59:01 EDT 2014
Bill Ricker wrote:
> Yes, it's a fair point that Gnu project is older than either Apache or
> Linux, but that doesn't exempt Bash from criticism.
>
> Alas there is both a mis-guided feature and at least one bug in the
> feature (even assuming its intent ever made any sense) -- as well as
> the environmental / combination problems.
The age thing is a bit of a red herring, and that this came about due to
a bug in Bash is almost irrelevant. The responsibility lies squarely
with the application that provides the network interface. It should not
be handing off unsanitized data supplied by a client to a child process.
Of course it's not that simple. We have plenty of infrastructure that
depends on doing exactly that. Take CGI for example, where form data is
piped to a child process (in addition to setting a bunch of environment
variables). But in the case of CGI you are just moving the network/local
barrier a bit further down the stack. The CGI code is written with the
expectation that the inputs are tainted.
But still, there should have been a bit more deliberate effort put into
creating a sandboxed environment for running child processes, with very
controlled paths of communication between the network and the child process.
> It was NEVER safe either. even without Apache. Any Setuid binary
> that used system() might pass ENV to BASH...
Yes, agreed, which is why I said "almost irrelevant" above, as Bash
still had a problem that shouldn't have been there.
-Tom
--
Tom Metro
The Perl Shop, Newton, MA, USA
"Predictable On-demand Perl Consulting."
http://www.theperlshop.com/
More information about the Discuss
mailing list