Intro
Seems like a bit of sloppy programming on behalf of the bash source coders has given rise to the shellshocked bug. Fortunately most modern Unix and Linux distributions will see a patch for bash released rather quickly to address it, but what about those odd few legacy systems that are about that have been quietly running an old distribution of Unix or Linux for years?
Below is an idea for a workaround.
Unix: The workaround
My understanding is that this exploit stems from bash's command line parser which executes poorly when spawning a new shell in conjunction with preserving exported functions.
My approach to solving this problem is to help with the parsing by cleaning up the functions before they are exported. I do this by replacing bash's inbuilt export function with my own export function.
The scriptlet below can be installed in an application startup script, a wrapper script, or even inside /etc/profile or bashrc.
NOTE: Be aware that both /bin/sh and /bin/bash can be separate binaries on older systems and if that is the case you may have to make this scriptlet conditional for execution inside /etc/profile for bash only.############################################################################# # Start of scriptlet "export" ############################################################################# # # BSD License for scriptlet export # Copyright (c) 2014, Arthur Gouros # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: # # - Redistributions of source code must retain the above copyright notice, # this list of conditions and the following disclaimer. # - Redistributions in binary form must reproduce the above copyright notice, # this list of conditions and the following disclaimer in the documentation # and/or other materials provided with the distribution. # - Neither the name of Arthur Gouros nor the names of its contributors # may be used to endorse or promote products derived from this software # without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # # # Overide the bash's inbuilt export command with one that mitigates the # shellshocked bug by cleaning up exported functions before they are # exported. # # # Author: Arthur Gouros 30/09/2014 : # This function overloads (in C++ lingo) the export function # Declare this in your scripts, or introduce in a wrapper, # or add to bashrc. # # Disable bash's builtin export function before defining the new function. enable -n export # Define the new export function export() { # Step 1: Disable the bash builtin export function enable -n export # Step 2: Clean any exported function of nasties before export # - lots of room for improvement here, this is just one basic idea. pruned_variable=`echo "$*" | gawk ' BEGIN { RS="}" isafunc=0 prev_rec="" } # Awk main { if(index($0, "()")) isafunc=1 printf("%s", prev_rec) prev_rec = $0 } END { if(isafunc) print "};" else print $0 }'` # Step 3: Debug - uncomment to debug #echo "$pruned_variable" # Step 4: Now we can export the cleaned up function enable -a export builtin export "$pruned_variable" enable -n export } # Now export the new export function for use in child processes. enable -a export builtin export -f export enable -n export # ############################################################################# # End of scriptlet "export" #############################################################################I bet a few here can see a way of beating step 2, but this is really basic parsing and here just to give you an idea. Step 2 has been deliberately left lean and mean and more parsing/cleaning effort would be required for it to be implemented on a serious old legacy system.
Remember, if you are running newer Unix or Linux distributions then you are much better off installing the latest bash patches for these systems.