Is the behavior behind the Shellshock vulnerability in Bash documented or at all intentional?

by

This seems like an implementation bug.

Apparently, the way exported functions work in bash is that they use specially-formatted environment variables. If you export a function:

f() { ... }

it defines an environment variable like:

f="() { ... }"

What’s probably happening is that when the new shell sees an environment variable whose value begins with (), it prepends the variable name and executes the resulting string. The bug is that this includes executing anything after the function definition as well.

The fix described is apparently to parse the result to see if it’s a valid function definition. If not, it prints the warning about the invalid function definition attempt.

This article confirms my explanation of the cause of the bug. It also goes into a little more detail about how the fix resolves it: not only do they parse the values more carefully, but variables that are used to pass exported functions follow a special naming convention. This naming convention is different from that used for the environment variables created for CGI scripts, so an HTTP client should never be able to get its foot into this door.

More Related Contents:

  1. what exactly env command do? [duplicate]
  2. What are the special dollar sign shell variables?
  3. Can I export a variable to the environment from a Bash script without sourcing it?
  4. Passing parameters to a Bash function
  5. Set environment variables from file of key/value pairs
  6. Return value in a Bash function
  7. Why can’t I specify an environment variable and echo it in the same command line?
  8. How to pass all arguments passed to my bash script to a function of mine? [duplicate]
  9. Setting an environment variable before a command in Bash is not working for the second command in a pipe
  10. What is the exact meaning of IFS=$’\n’?
  11. Passing a string with spaces as a function argument in Bash
  12. Difference between return and exit in Bash functions
  13. Using getopts inside a Bash function
  14. LINES and COLUMNS environmental variables lost in a script
  15. How to determine function name from inside a function
  16. How to write a bash script to set global environment variable?
  17. Execute a shell function with timeout
  18. Forward function declarations in a Bash or a Shell script?
  19. How to effectively abort the execution of a Bash script from a function
  20. Determine if a function exists in bash
  21. How does one change the language of the command line interface of Git?
  22. Is there a way to get my emacs to recognize my bash aliases and custom functions when I run a shell command?
  23. How can I execute a bash function using sudo?
  24. Get Environment Variable from Docker Container
  25. What is the proper way to test a Bash function’s return value?
  26. An efficient way to transpose a file in Bash
  27. How to use aliases defined in .bashrc in other scripts?
  28. How to check if a file contains a specific string using Bash
  29. How can I get a recursive full-path listing, one line per file?
  30. reverse the order of characters in a string

Leave a Comment