Bill Ricker wrote: > Yes, it's a fair point that Gnu project is older than either Apache or > Linux, but that doesn't exempt Bash from criticism. > > Alas there is both a mis-guided feature and at least one bug in the > feature (even assuming its intent ever made any sense) -- as well as > the environmental / combination problems.
The age thing is a bit of a red herring, and that this came about due to a bug in Bash is almost irrelevant. The responsibility lies squarely with the application that provides the network interface. It should not be handing off unsanitized data supplied by a client to a child process. Of course it's not that simple. We have plenty of infrastructure that depends on doing exactly that. Take CGI for example, where form data is piped to a child process (in addition to setting a bunch of environment variables). But in the case of CGI you are just moving the network/local barrier a bit further down the stack. The CGI code is written with the expectation that the inputs are tainted. But still, there should have been a bit more deliberate effort put into creating a sandboxed environment for running child processes, with very controlled paths of communication between the network and the child process. > It was NEVER safe either. even without Apache. Any Setuid binary > that used system() might pass ENV to BASH... Yes, agreed, which is why I said "almost irrelevant" above, as Bash still had a problem that shouldn't have been there. -Tom -- Tom Metro The Perl Shop, Newton, MA, USA "Predictable On-demand Perl Consulting." http://www.theperlshop.com/ _______________________________________________ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss