Why is bash the only program which has special permission to trust its input?

tomjen3 · on Sept 27, 2014

It has permission to trust the input the user enters into it, because that is its job. 20 years ago nobody assumed variable environments were an issue, but this should have been fixed years ago.

I am also pissed that they patched the parser, the feature is still in there when nobody uses it and it has already proven to be a security vuln once.

fabulist · on Sept 27, 2014

Its used by bash itself for communicating with subprocesses.

Input you type at the terminal is not the same as an environment variable; hackers set environment variables much more often than legitimate users.

vidarh · on Sept 27, 2014

There are many other ways Bash could do that, though, which would make it much harder for further exploits. Such as opening a pipe and writing them to the sub-process that way so it goes "out of band" from the regular environment variables. Or if it has to be in environment variables: Accept a special argument in the argument list that is a key it uses to sign the variables. It does not need to remain secret - just make sure that just inheriting environment variables with potential attempted exploits is insufficient for anything to get executed.

And/or change the way these definitions are handled - I get that it's tantalizingly simple to just pass this through their usual parser since then you get the function definition parsing for free, but at the very least this parsing of the environment variables shouldn't go through a code path that even potentially executes anything.

masklinn · on Sept 27, 2014

> There are many other ways Bash could do that, though

KSH and ZSH will load functions from files they find via $FPATH.

myhf · on Sept 27, 2014

I guess as a POSIX-compliant shell, Bash can be expected to trust its inputs on stdin and in special environment variables like PATH.

But the problem emerges from trusting 100% of inputs, not just the inputs that are intended to be trusted.