While in theory this seems sound, it still feels like the classic black-listing that always seems to fall prey to some clever escaping scheme. Perhaps I'm being paranoid, but it seems like best practice should have any spawned processes firewalled off from anything you didn't explicitly give it.

While in theory you can whitelist keys which need to be passed thru from parents env to bash, you'll hardly be able to avoid dangerous values without some heuristics...

Like forbidding anything which looks like an env-function.

That's what my regex does in a generic way, ie erasing magic values starting with () { .

You are free to combine it with further defense measures.°

But I doubt you can efficiently realize an individual validation for each string format (like PATH, HOST, IP, USERNAME, ...)

Cheers Rolf

_{(addicted to the Perl Programming Language and ☆☆☆☆ :)}

°) something like (untested)

 local %ENV = map { $_ => kill_func $ENV{$_} } @whitelist

ww posted an article that comes to similar conclusions to yours. I'm definitely more inclined toward a whitelist than a blacklist, but I'd much prefer a hard-coded environment for my child process. The original intent of my query was really intended to find out why a scorched earth approach might be problematic. In the kind of code I end up running in these types of situations, there's no reason to not take the draconian approach (PDF generation, numerics, ...). I also try to avoid single-argument system and exec, but that's mostly because I don't trust my escaping talents.

In any case, I'll be using your regex for any values I have to pass through, and I appreciate your thoughts on the matter.

---

#11929 First ask yourself `How would I do this without a computer?' Then have the computer do it the same way.