On Thursday, September 25, 2014 09:03:03 AM Chet Ramey wrote: > On 9/25/14, 4:52 AM, Gabriel Corona wrote: > > Hello, > > > > As the interface is not specified, would it make sense to: > > > > * add a prefix (use BASH_FUNCTION_foo instead of foo for exported > > function foo); > > > > * still expand the variable if it matches the 'exported function' > > pattern. > > Yes, that's one of the approaches under consideration. It raises the > bar for abuse by requiring that an attacker be able to create environment > variables with arbitrary names as well as values. It is not, > unfortunately, backwards compatible. >
Have you considered the FPATH mechanism? Exploiting it requires being able to create files and set FPATH accordingly. I've had some success with the function loader code in examples/functions/autoload.*. I believe it serves mostly the same purpose as exported functions. -- Dan Douglas