On Fri, Sep 26, 2014 at 03:27:06PM -0500, Paul Gilmartin wrote: [...] > This is Bobby Tables all over again: > > http://xkcd.com/327/ > > It relies on a bash extension which, however useful, violates POSIX by > restricting the value space of environment variables. The Wikipedia > example, slightly altered: > > user@HOST: > user@HOST: x='() { echo F;}; echo vulnerable' bash -xc ': test; echo "x is > $x"' > bash:+ echo vulnerable > vulnerable > bash:0+ : test > bash:0+ echo 'x is ' > x is > user@HOST: > > POSIXly should display: > > user@HOST: x='() { echo F;}; echo vulnerable' ksh -xc ': test; echo "x is > $x"' > ksh:1+ : test > ksh:1+ echo 'x is () { echo F;}; echo vulnerable' > x is () { echo F;}; echo vulnerable > user@HOST: > > However useful imported functions are, they're needless. The effect > could be achieved more safely, function-by-function, by such as: > > eval "x$x" # to import function x, etc. > > But, still, beware of Bobby Tables; it's mere hygiene when using eval.
Right. I played a bit with those examples and it turned out the problem was a bit more serious than I thought. But I think that "bash -r" (i.e. restricted one) or even better, using different sh-compatible shell should help a lot. Of course this works best if one didn't used bash specific features... -- Regards, Tomasz Rola -- ** A C programmer asked whether computer had Buddha's nature. ** ** As the answer, master did "rm -rif" on the programmer's home ** ** directory. And then the C programmer became enlightened... ** ** ** ** Tomasz Rola mailto:tomasz_r...@bigfoot.com ** ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN