[Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

[Xavier Morel]

On 2014-09-27, at 00:11 , Cameron Simpson <cs at zip.com.au> wrote:

> On 26Sep2014 13:16, Antoine Pitrou <solipsis at pitrou.net> wrote:
>> On Fri, 26 Sep 2014 01:10:53 -0700
>> Hasan Diwan <hasan.diwan at gmail.com> wrote:
>>> On 26 September 2014 00:28, Matěj Cepl <mcepl at cepl.eu> wrote:
>>> > Where does your faith that other /bin/sh implementations (dash,
>>> > busybox, etc.) are less buggy comes from?
>>> 
>>> The fact that they are simpler, in terms of lines of code. It's no
>>> guarantee, but the less a given piece of code does, the less bugs it will
>>> have. -- H
>> 
>> And that they have less "features" (which is certainly correlated to
>> their simplicity). IIUC, the misimplemented feature leading to this
>> vulnerability is a bash-ism.
> 
> IIRC you could export functions in ksh. Or maybe only aliases. But that implies most POSIX shells may support it.

From my understanding KSH's function export is so a function becomes
available in the caller of a script e.g. if you define a function in
your .kshrc it's internal to the file (and won't be available in the
interactive shell) unless you export it:
http://users.speakeasy.net/~arkay/216-7.4KshFunctions.html

KSH (and ZSH) will also load functions from files on $FPATH, but AFAIK
that's it.