On 09/28/2014 11:02 AM, David A. Wheeler wrote: > Eric Blake <ebl...@redhat.com> posted on Sat, 27 Sep 2014 18:26:43 -0600: >> There has been a LOT of news about bash's Shell Shock bug lately. >> Document some of the ramifications it has on portable scripting. > > Documenting this seems reasonable.
Thanks; I'll push my patch soon.
>
>> I'm still debating about adding a sniffer to configure scripts that
>> warns users if they still have a vulnerable bash on their system,
>
> I think it'd be reasonable to add some basic detections for easy cases.
Here's a fairly easy test:
export x='() { :; }'
y=`bash -c 'echo "$x"'`
if test "x$x" != "x$y"; then
echo "The first bash on your \$PATH is vulnerable to Shell Shock"
fi
(of course, I'd tweak it to fit in more with Autoconf style). But the
point is that ALL we have to check for is whether the shell FAILS to
export a normal variable as a normal variable, not whether functions get
auto-instantiated.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Autoconf mailing list Autoconf@gnu.org https://lists.gnu.org/mailman/listinfo/autoconf
