On 09/29/2014 04:44 PM, Zack Weinberg wrote: > On Sat, Sep 27, 2014 at 8:26 PM, Eric Blake <ebl...@redhat.com> wrote: >> There has been a LOT of news about bash's Shell Shock bug lately. >> Document some of the ramifications it has on portable scripting. > > I think this is a good idea in the abstract, but I think it's maybe a > little too specific to this particular incident. Can I suggest > instead > > +Posix requires @command{export} to work with any arbitrary value for the > +contents of the variable being exported. However, some shells have > extensions > +that involve interpreting some values specially. We currently know of only > one > +case: all versions of Bash released prior to 27 September 2014 interpret > +an environment variable whose value begins with @code{() @{} as a shell > +function definition. (This is the ``Shellshock'' bug, CVE-2014-6271; it was > +possible to exploit the parser and cause code to execute immediately upon > +shell startup. Newer versions of Bash use special environment variable > +@emph{names} to implement the same feature.)
Thanks for the suggestions. I incorporated a lot of this wording, and also mentioned that there is still an inherent ARG_MAX limitation (you can't shove infinite data through the environment, although modern Linux has moved towards no arbitrary limit) and on the issues of not being able to preserve non-shell-name variables created by env when passing through certain shells. The result is finally pushed. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature