you misrepresent. rsc addressed the non-web-centric issue: > I don't think it is super important to try to make rc defend against malicious environments, any more than > it is to make it somehow defend against malicious $paths. If those are security-relevant, you've already lost.
On Fri, Sep 26, 2014 at 9:32 AM, Kurt H Maier <[email protected]> wrote: > Quoting Russ Cox <[email protected]>: > > The right fix is to eliminate all possible interaction between (1) and >> (2). >> The first public fix focused instead on making (1) more robust, and guess >> what, it wasn't good enough and now there is a *second* CVE about this >> problem, and a *second* attempt at making (1) more robust. It is almost >> certainly too late to change CGI, but bash could be changed to just ignore >> CGI's variables (HTTP_*), and I hope that's what will eventually happen. >> I'm not holding my breath: I bet we'll see a cascade of patches trying to >> make this interaction "safe" instead of removing it. >> >> > This is a heartbreakingly web-centric view of these issues. The real > problem is that bash was evaling stuff that had () { in it, and it is > very, very much not relegated to CGI use. There are exploits in the > wild for both DHCP and ssh. > > Obviously bash is an awful shell, but munging it for apache is not the > right answer to anything. > > khm > > > >
