function - Is the behavior behind the Shellshock vulnerability in Bash documented or at all intentional?

Question

A recent vulnerability, CVE-2014-6271, in how Bash interprets environment variables was disclosed. The exploit relies on Bash parsing some environment variable declarations as function definitions, but then continuing to execute code following the definition:

$ x='() { echo i do nothing; }; echo vulnerable' bash -c ':'
vulnerable

But I don't get it. There's nothing I've been able to find in the Bash manual about interpreting environment variables as functions at all (except for inheriting functions, which is different). Indeed, a proper named function definition is just treated as a value:

$ x='y() { :; }' bash -c 'echo $x'
y() { :; }

But a corrupt one prints nothing:

$ x='() { :; }' bash -c 'echo $x'

$ # Nothing but newline

The corrupt function is unnamed, and so I can't just call it. Is this vulnerability a pure implementation bug, or is there an intended feature here, that I just can't see?

Update

Per Barmar's comment, I hypothesized the name of the function was the parameter name:

$ n='() { echo wat; }' bash -c 'n'
wat

Which I could swear I tried before, but I guess I didn't try hard enough. It's repeatable now. Here's a little more testing:

$ env n='() { echo wat; }; echo vuln' bash -c 'n'
vuln
wat
$ env n='() { echo wat; }; echo $1' bash -c 'n 2' 3 -- 4

wat

…so apparently the args are not set at the time the exploit executes.

Anyway, the basic answer to my question is, yes, this is how Bash implements inherited functions.

Answer 1

This seems like an implementation bug.

Apparently, the way exported functions work in bash is that they use specially-formatted environment variables. If you export a function:

f() { ... }

it defines an environment variable like:

f='() { ... }'

What's probably happening is that when the new shell sees an environment variable whose value begins with (), it prepends the variable name and executes the resulting string. The bug is that this includes executing anything after the function definition as well.

The fix described is apparently to parse the result to see if it's a valid function definition. If not, it prints the warning about the invalid function definition attempt.

This article confirms my explanation of the cause of the bug. It also goes into a little more detail about how the fix resolves it: not only do they parse the values more carefully, but variables that are used to pass exported functions follow a special naming convention. This naming convention is different from that used for the environment variables created for CGI scripts, so an HTTP client should never be able to get its foot into this door.