On 26 September 2014 20:04, Saso Kiselkov <skiselkov...@gmail.com> wrote:
> The invoking shell is irrelevant. Here's your problem:
>                                vvvvvvv
> env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
>                                ^^^^^^^
> Put bash in there and you'll get a vulnerable "busted" result.

Of course, thank you, I never noticed that I was runing /bin/sh, not /bin/bash.

Moral of the story:  Neverl operate heavy machinery or shell scripts when tired.


openindiana-discuss mailing list

Reply via email to