On Sat, Sep 27, 2014 at 8:26 PM, Eric Blake <ebl...@redhat.com> wrote:
> There has been a LOT of news about bash's Shell Shock bug lately.
> Document some of the ramifications it has on portable scripting.
I think this is a good idea in the abstract, but I think it's maybe a
little too specific to this particular incident. Can I suggest
instead
+Posix requires @command{export} to work with any arbitrary value for the
+contents of the variable being exported. However, some shells have extensions
+that involve interpreting some values specially. We currently know of only one
+case: all versions of Bash released prior to 27 September 2014 interpret
+an environment variable whose value begins with @code{() @{} as a shell
+function definition. (This is the ``Shellshock'' bug, CVE-2014-6271; it was
+possible to exploit the parser and cause code to execute immediately upon
+shell startup. Newer versions of Bash use special environment variable
+@emph{names} to implement the same feature.)
