Shellshock on rc(1)

Issue #187 resolved
Christian Neukirchen
created an issue

Plan9port rc(1) (rev 3442) is vulnerable to run code from the envionment upon execution:

% env 'fn#foo={}
    echo vulnerable
    ' /opt/plan9/bin/rc
vulnerable

(The newlines are required.) Since this only works for variable names starting with 'fn#', it's not as critical as the current bash issue. Still, it could be problematic.

Comments (3)

  1. Russ Cox repo owner

    I am not sure I care. I am not even sure this is really a bug in bash. The bug is that CGI puts untrusted text into the environment. Trying to make this 'safe' seems delusional. The right workaround in bash (only because bash is an easier place to fix this widespread problem) is to disable function parsing entirely in environment variables beginning with "HTTP_" - CGI means those must be treated as untrusted.

    Thankfully, rc does not apply function parsing to variables beginning with "HTTP_", so this is not a problem even if Unix systems were using rc scripts as CGI programs.

    The shell is simply not meant to deal with untrusted input.

  2. Log in to comment