Quoting Skip Tavakkolian <skip.tavakkol...@gmail.com>:
you misrepresent. rsc addressed the non-web-centric issue:
I don't think it is super important to try to make rc defend against
malicious environments, any more than
it is to make it somehow defend against malicious $paths. If those are
security-relevant, you've already lost.
I misrepresent nothing, since I'm talking about what needs fixing in
bash. I agree that rc doesn't need any patching -- to subvert rc like
this you need to be able to *name* the variables. The problem with bash
is that it's not just HTTP_ variables, but ALL variables that contain () {
in them *anywhere* get evaled in full. Russ is advocating patching one
attack vector instead of fixing the actual problem, and I disagree about
that being a good idea.
khm