[clug] Security talk and the bash 'shellshock' vulnerability
Duncan Roe
duncan_roe at acslink.net.au
Mon Sep 29 04:37:56 MDT 2014
On Sat, Sep 27, 2014 at 11:11:54AM +0000, Carlo Hamalainen wrote:
> Hi,
>
> The gift that keeps on giving...
>
> http://lists.gnu.org/archive/html/bug-bash/2014-09/msg00211.html
>
> $ cat <<EOF >test.sh
> #!/bin/bash
> cat /dev/null
> EOF
>
> $ chmod a+x test.sh
> $ env cat='() { echo rm -rf /; }' ./test.sh
>
> This will echo rm -fr /.
>
Documented behaviour - functions in the environment take precedence over
external commands, and even bash builtins (I had that trouble with my ":"
function). To avoid importing functions from the environment, start scripts
#!/bin/bash -p
Cheers ... Duncan.
More information about the linux
mailing list