On Wed, Mar 9, 2016 at 1:13 PM, Yann Ylavic <ylavic....@gmail.com> wrote: > On Fri, Sep 25, 2015 at 8:29 AM, <gsm...@apache.org> wrote: >> Author: gsmith >> Date: Fri Sep 25 06:29:05 2015 >> New Revision: 1705217 >> >> URL: http://svn.apache.org/viewvc?rev=1705217&view=rev >> Log: >> core/util_script: relax alphanumeric filter of enviroment variable names >> on Windows to allow '(' and ')' for passing PROGRAMFILES(X86) et.al. >> unadulterated in 64 bit versions of Windows. PR 46751. > > Can one define functions in environment variables on Windows (and if > so is the parenthesis in the place)? > I don't think so, but not very aware of Windows things either, thus > prefer to ask wrt CVE-2014-6271... > > What about MinGW or any unix-like shell ported on Windows (which could > be used as CGI)?
It seems we didn't do anything about CVE-2014-6271 et.al. anyway (bash issue), still I find this permissive env names quite dubious... Btw, SGIs that really care about these vars could use PROGRAMFILES_X86_ already.