"Erik E. Fair" <fair-tuhs(a)netbsd.org>
writes:
That function export feature of bash was not the cause
of the
Shellshock vulnerability.
The cause was idiot programmers who wrote CGI scripts for bash
without proper data sanitization.
The manner in which bash (pre-shellshock) imported functions from the
environment, along with the vulnerability, made "proper data
sanitization" flatly impossible without deep knowledge of what kind of
strings it was looking for. It would import functions from absolutely
any variable, with any name, including variables explicitly designated
in the protocols involved to hold untrusted remote data.
Removing text in a format that triggers a feature of a particular shell
from HTTP_COOKIE is absolutely not the CGI script's responsibility (the
bug triggers before the script gets to execute a single line), and I
would argue it's not the HTTP server's problem either.
And if the bash feature had been implemented correctly, it would have
been mostly harmless (The remote client could still have caused a
function called HTTP_COOKIE to be defined, but the script's almost
certainly not going to execute it)