On Fri, Sep 26, 2014 at 3:24 PM, Vincent Lefevre <vinc...@vinc17.net> wrote:
> On 2014-09-25 03:54:19 +0800, lolilolicon wrote:
>> [...] that it's still possible to
>> mask commands in a bash script by changing it's environment.
>>
>> For example, true='() { false;}' or grep='() { /bin/id;}' ...
>
> Yes, and BTW, I don't think this is POSIX compliant:
[...]
> This means that some application like sudo that needs to clean up
> the environment could choose to keep these environment variables
> with lowercase letters, and this could have really bad effects if
> a bash script is executed.Yes, my opinion is ENV is a bad channel for doing function export. ENV is a shared space, isn't well-specified, relies entirely on policy instead of any intrinsic mechanism... it's just fundamentally unsuitable for too much special interpretation.
