Notice how in my first test, I called sh? Some OSes (these examples were from a MacOS X box) use bash for sh.

You should run the tests and check if you're vulnerable. Don't just think 'oh, it won't happen to me, I'm using ksh', as perl may still send to a vulnerable sh:

sh-3.2$ ksh
$ set -o emacs
$ env x='() { :;}; echo vulnerable' ksh -c "echo this is a test"
this is a test
$ env x='() { :;}; echo vulnerable' perl -e 'system "echo test;"'
vulnerable
test
[download]

This is why Corion, whom I assure you is not an idiot, mentioned the concept of the default shell. Please do read what you are responding to before repeating what was just said in a haughty way.

> perl -e 'print ` ls -l /proc/\$\$/exe `'
lrwxrwxrwx 1 lanx lanx 0 2014-09-27 12:13 /proc/25970/exe -> /bin/dash
[download]

HTH! :)

The shell used by system is actually given by perl -V:sh.

$ perl -V:sh
sh='/bin/sh';
[download]

If you want to find out if that's bash, you can use

$ ls -l /bin/sh
lrwxrwxrwx 1 root root 9 Apr 10 17:08 /bin/sh -> /bin/bash
[download]

Like your code, that only works if and only if /bin/sh is a symlink. A more reliable check is

$ /bin/sh --version
GNU bash, version 4.1.5(1)-release (x86_64-pc-linux-gnu)
...
[download]

I think in world of multiple forks and vendors the most reliable way is just testing for the exploit itself, like it's done (used to be?) with JS-features in different Browsers.

The situation is similar, since alternative shells come as a compatible replacement for bash they try to mimic authentication. I.e. version number or env-vars are not that reliable.

For instance does my dash not even support the --version option

lanx@nc10-ubuntu:~$ dash --version
dash: Illegal option --
lanx@nc10-ubuntu:~$ dash -version
dash: Illegal option -r
[download]

I already tested for symlink without success, but seems like I had a typo ...

Cheers Rolf

_{(addicted to the Perl Programming Language and ☆☆☆☆ :)}

I was trying to create an example for FreeBSD 8-STABLE, and found that one cannot rely on (from system) ...

... If there is only one scalar argument, the argument is checked for shell metacharacters, and if there are any, the entire argument is passed to the system's command shell for parsing (this is "/bin/sh -c" on Unix platforms, but varies on other platforms). If there are no shell metacharacters in the argument, it is split into words and passed directly to "execvp", which is more efficient. ...

... as I could not find any trace of a shell for system q[date 2>&1] & ktrace via ...

ktrace -di perl -e 'print system q[date 2>&1]' \
&& kdump -d | fgrep /bin/sh
[download]

... had to use ...

ktrace -di perl -e 'print system q[date 2>&1 </dev/null]'
[download]

... to invoke the shell (/bin/sh). Apparently 2>&1 does not qualify as shell metacharacters (here).

(An actual example has yet to be produced.) date 2

Perl has special logic to recognize 2>&1 to make this idea work on Windows. The Windows default shell (cmd.exe) does not understand 2>&1, but (too) many programmers use this idiom.