Re: Shellshock (was: How to do secure coding and create secure software)

["David A. Wheeler" <dwheeler () dwheeler com>]

> On Sep 30, 2025, at 2:18 AM, Solar Designer <solar () openwall com> wrote: ...
>
> On Tue, Sep 30, 2025 at 01:02:01AM -0500, Jacob Bachmeyer wrote:
> > Small nit here:  Shellshock was clearly a vulnerability in Bash and I am 
> > unsure if the way Bash exports shell functions was documented at all.
> ...
> > If presented with an environment variable value having the correct form 
> > for a shell function, but containing more text than the body of the 
> > function, Bash would immediately execute the trailing text as commands 
> > while importing the shell function from the environment.  That was 
> > Shellshock.
>
> Yes, there were multiple Shellshock-related code issues in bash, and
> several CVEs were rightly assigned against bash.  No arguing about that.
> Also, the proper Shellshock was exposed as a vulnerability by far not
> only through HTTP servers, since it parsed variables of any names.

All true. Shellshock's story is complicated in part because
early "fixes" didn't fix it. Its revelation was over 10 years ago, so
some readers here may not be familiar with Shellshock. I wrote a detailed article
about Shellshock here, including ways detect or prevent similar vulnerabilities:

https://dwheeler.com/essays/shellshock.html

--- David A. Wheeler