[Dnsmasq-discuss] Shellshock.
Roy Marples
roy at marples.name
Tue Sep 30 09:05:50 BST 2014
Hi Simon
On Monday 29 Sep 2014 20:17:56 Simon Kelley wrote:
> There's no definition of what is allowed in those DHCP options, so it's
> quite possible that a shell metacharacter would be encountered.
> Sanitising the strings would therefore change what gets passed to the
> script, ie it would be an API change.
I've not looked at the dnsmasq source for this, but are you encoding binary
non graphic data? If not, what is the expectation in script? If so, you are
encoding it regardless - thus if you encode the shell metas in a similar
fashion the API hasn't changed.
Just because the DHCP RFC for option foo says it's an ASCII string does not
mean that's what is really in the option, could easily be a PNG of Rick
Astley!
> Of course, the shell isn't supposed to interpret metacharacters in the
> value of shell variables unless explicitly told to: so sanitising
> shouldn't be required (though I concede it would mitigate a lot of
> common shell-script errors.)
Shells shouldn't allow function definitions in variables, but here we are :)
Thanks
Roy
More information about the Dnsmasq-discuss
mailing list