|
|
|
|
|
|
by Qantourisc
4283 days ago
|
|
|
I would still argue the bug is not entirely bash it's fault. A feature that causes security bugs, is imo the fault of the application using a program that has these feature. It's like not escaping strings/CLI-commands/SQL commands. Or did I miss something where this bash feature is not suppose to work under all circumstances ? |
|
|
First, and foremost: user-provided data has been passed in environment variables since the stone-age. That's why, for example, we explicitly guard against LD_PRELOAD'ing a shared library into a suid-binary... But it was common knowledge, that this selection of dangerous/benign variables can be made based on the NAME of the variable, NOT the CONTENT. And bash basically calls eval(name+' '+env[name]) for every variable containing the magic substring.
Imagine any of your other favourite script languages scanning random places for "things that look as if they could be imported/included/executed"... and tell me that this is a smart thing to do.
The second mistake was to not just create a function-definition inside the currently running program, but to actually eval the complete content of the variable. If bash would just postpone the evaluation of the function to the point in time where it's actually called, no one would be bothered, because the script would have to be tricked into executing a command called "RECIPIENT" (or DHCP_OPTION_1234, or COOKIE, ...).