From d78baac26253edfefafda7c9996d23e806eadf41 Mon Sep 17 00:00:00 2001 From: Zhiming Wang Date: Sun, 14 Feb 2016 16:31:46 -0800 Subject: Improve use of language in an old post Shellshock was a vulnerability, but I'm not sure if it was exploited (for malicious purposes) in the wild before fixes were released. --- source/blog/2015-11-25-bash-function-exporting-fiasco.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source/blog/2015-11-25-bash-function-exporting-fiasco.md') diff --git a/source/blog/2015-11-25-bash-function-exporting-fiasco.md b/source/blog/2015-11-25-bash-function-exporting-fiasco.md index 37246a0d..7877699e 100644 --- a/source/blog/2015-11-25-bash-function-exporting-fiasco.md +++ b/source/blog/2015-11-25-bash-function-exporting-fiasco.md @@ -36,6 +36,6 @@ That's surprising but not scary enough, because if you're not a fool you won't c Note that we're actively doing nothing in `sh`, yet we get all these syntax errors from loading `func`. This happens to every invocation of `sh`, and as you might expect, there are no shortage of programs that are either `sh` scripts (e.g., fasd) or have internal `sh` calls (e.g., GNU Parallel). A single export of a Bourn shell incompatible function will haunt you through the entire session. Oops. -As I said, I don't know if the displayed error messages are due to Apple's modifications (anyone willing to look at the [source code](https://opensource.apple.com/source/bash/bash-97/)?), since a symlink named `sh` to `/bin/bash` doesn't print error messages, but instead load the wrong function, which is almost as bad but less annoying to innocent users. At any rate, it's not even worth reporting, either to GNU or Apple, because we're stuck with bash 3.2 for `/bin/sh` forever (thank you GPLv3), and it takes hell of an exploit like shellshock to get a small update out of Apple's hands. We can install newer shells to `/usr/local` as much as we'd like to, but `/bin/sh` is simply the final word for many tasks involving the shell. Yet it's stained by this troubled bash-specific feature, and it's not going anywhere. So sad. +As I said, I don't know if the displayed error messages are due to Apple's modifications (anyone willing to look at the [source code](https://opensource.apple.com/source/bash/bash-97/)?), since a symlink named `sh` to `/bin/bash` doesn't print error messages, but instead load the wrong function, which is almost as bad but less annoying to innocent users. At any rate, it's not even worth reporting, either to GNU or Apple, because we're stuck with bash 3.2 for `/bin/sh` forever (thank you GPLv3), and it takes a hell of a vulnerability like shellshock to get a small update out of Apple's hands. We can install newer shells to `/usr/local` as much as we'd like to, but `/bin/sh` is simply the final word for many tasks involving the shell. Yet it's stained by this troubled bash-specific feature, and it's not going anywhere. So sad. [^lisp]: I'm not commenting on the security of Lisp. -- cgit v1.2.1