On Fri, Sep 26, 2014 at 3:24 PM, Vincent Lefevre <vinc...@vinc17.net> wrote: > On 2014-09-25 03:54:19 +0800, lolilolicon wrote: >> [...] that it's still possible to >> mask commands in a bash script by changing it's environment. >> >> For example, true='() { false;}' or grep='() { /bin/id;}' ... > > Yes, and BTW, I don't think this is POSIX compliant: [...] > This means that some application like sudo that needs to clean up > the environment could choose to keep these environment variables > with lowercase letters, and this could have really bad effects if > a bash script is executed.
Yes, my opinion is ENV is a bad channel for doing function export. ENV is a shared space, isn't well-specified, relies entirely on policy instead of any intrinsic mechanism... it's just fundamentally unsuitable for too much special interpretation.