On Sat, Sep 27, 2014 at 8:26 PM, Eric Blake <ebl...@redhat.com> wrote: > There has been a LOT of news about bash's Shell Shock bug lately. > Document some of the ramifications it has on portable scripting.
I think this is a good idea in the abstract, but I think it's maybe a little too specific to this particular incident. Can I suggest instead +Posix requires @command{export} to work with any arbitrary value for the +contents of the variable being exported. However, some shells have extensions +that involve interpreting some values specially. We currently know of only one +case: all versions of Bash released prior to 27 September 2014 interpret +an environment variable whose value begins with @code{() @{} as a shell +function definition. (This is the ``Shellshock'' bug, CVE-2014-6271; it was +possible to exploit the parser and cause code to execute immediately upon +shell startup. Newer versions of Bash use special environment variable +@emph{names} to implement the same feature.)