Hacker News new | ask | show | jobs
by nitrogen 4283 days ago
Upon researching this, "() {" will always catch this.

Unless the input is decoded in some way before reaching an environment variable. E.g. HTML entities, hex escapes (percent or backslash), gzip, ... Best just to patch bash and switch to a different /bin/sh.
1 comments
meowface 4281 days ago
I should have said "will always catch this for CGI servers and HTTP headers".
link