Re^9: Taint and Shellshock


Do you know where your variables are?
	PerlMonks

Re^9: Taint and Shellshock

by Corion (Patriarch)

on Sep 29, 2014 at 17:58 UTC ( [id://1102373]=note: print w/replies, xml )

Need Help??

in reply to Re^8: Taint and Shellshock
in thread Taint and Shellshock

Much easier to fix the problem one level deeper. Just replace /bin/bash with this Perl script:

#!/usr/bin/perl -wT
use strict;

# Clean up environment 
s/^\(\) {.*// for values %ENV;

# Now, exec bash with our name and our arguments
exec { $0 } '/bin/bash.original', @ARGV;
[download]

If you're looking at validating all environment variables, you'd need to know which environment variables are supposed to hold what kind of values. And for example LD_PRELOAD or LD_LIBRARY_PATH should be passed through verbatim (because if an attacker already has access to these, you can't even trust yourself).

Comment on Re^9: Taint and Shellshock Select or Download Code

Replies are listed 'Best First'.
Re^10: Taint and Shellshock by kennethk (Abbot) on Sep 29, 2014 at 20:28 UTC
`LD_PRELOAD` and `LD_LIBRARY_PATH`. Thank you; I knew I was forgetting something. #11929 First ask yourself `How would I do this without a computer?' Then have the computer do it the same way.	[reply] [d/l] [select]

In Section Seekers of Perl Wisdom

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://1102373]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others admiring the Monastery: (7)

As of 2024-04-19 10:01 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found