Timeline for What does env x='() { :;}; command' bash do and why is it insecure?
Current License: CC BY-SA 3.0
19 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jul 22, 2019 at 8:15 | vote | accept | jippie | ||
| Sep 28, 2014 at 13:31 | history | edited | Chris Down | CC BY-SA 3.0 |
deleted 1 character in body
|
| Sep 28, 2014 at 0:15 | comment | added | ack |
The most recent (second!) bash update shows the exported function as environment variable BASH_FUNC_foo()=..., not foo=() ..., a very important difference, as it also makes it impossible to override common tools like grep and cat by crafting environment variables with these names and putting function definitions in them, as manually setting var()="value" isn't valid syntax and will produce an error.
|
|
| Sep 26, 2014 at 20:18 | comment | added | vmrob |
So does that imply that setting the user agent string to () { :; }; :(){ :|:& };: would fork bomb such insecure sites? Sounds like people should update their bash!
|
|
| Sep 26, 2014 at 8:56 | history | edited | Chris Down | CC BY-SA 3.0 |
added 555 characters in body
|
| Sep 26, 2014 at 8:51 | history | edited | Chris Down | CC BY-SA 3.0 |
added 555 characters in body
|
| Sep 26, 2014 at 8:37 | history | edited | Chris Down | CC BY-SA 3.0 |
Add example of vuln
|
| Sep 26, 2014 at 8:31 | history | edited | Chris Down | CC BY-SA 3.0 |
Add example of vuln
|
| S Sep 25, 2014 at 19:42 | history | suggested | Mark | CC BY-SA 3.0 |
correct foo/bar
|
| Sep 25, 2014 at 19:31 | review | Suggested edits | |||
| S Sep 25, 2014 at 19:42 | |||||
| Sep 25, 2014 at 13:06 | comment | added | Gilles 'SO- stop being evil' |
@gnclmorais You mean you run export bar='() { echo "bar" ; }'; zsh -c bar and it displays bar rather than zsh:1: command not found: bar? Are you sure you aren't confusing the shell you're invoking with the shell that you're using to set up the test?
|
|
| Sep 25, 2014 at 12:42 | comment | added | gnclmorais | @Gilles, I’m running zsh and I do have the bug, so… zsh seems to be vulnerable as well. | |
| Sep 25, 2014 at 7:17 | comment | added | Mathias Bynens | Some more info can be found in Michał Zalewski’s blog post about this Bash vulnerability. | |
| Sep 25, 2014 at 0:16 | history | edited | Chris Down | CC BY-SA 3.0 |
deleted 19 characters in body
|
| Sep 24, 2014 at 23:48 | comment | added | Stéphane Chazelas | @user815423426 rc is the other shell that passes functions in the environment, but its with variable with names prefixed with "fn_" and they are only interpreted when invoked. | |
| Sep 24, 2014 at 23:19 | comment | added | Gilles 'SO- stop being evil' | @user815423426 No, zsh doesn't have this feature. Ksh has it but implemented differently, I think functions can only be transmitted in very narrow circumstances, only if the shell forks, not through the environment. | |
| Sep 24, 2014 at 22:52 | comment | added | Amelio Vazquez-Reina | Could this affect any other Bash-like shell then, like Zsh? | |
| Sep 24, 2014 at 20:17 | history | edited | Chris Down | CC BY-SA 3.0 |
added 117 characters in body
|
| Sep 24, 2014 at 20:10 | history | answered | Chris Down | CC BY-SA 3.0 |