Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:77659
Return-Path: <mapopa@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 70318 invoked from network); 26 Sep 2014 10:46:18 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Sep 2014 10:46:18 -0000
Authentication-Results: pb1.pair.com smtp.mail=mapopa@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=mapopa@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.169 as permitted sender)
X-PHP-List-Original-Sender: mapopa@gmail.com
X-Host-Fingerprint: 209.85.217.169 mail-lb0-f169.google.com  
Received: from [209.85.217.169] ([209.85.217.169:64124] helo=mail-lb0-f169.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 78/28-27411-8F345245 for <internals@lists.php.net>; Fri, 26 Sep 2014 06:46:17 -0400
Received: by mail-lb0-f169.google.com with SMTP id u10so829980lbd.28
        for <internals@lists.php.net>; Fri, 26 Sep 2014 03:46:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=10RPvvV+jaoG8Sj/HvSZHsXaRiwgfHvSdoG6nty3vKo=;
        b=Kuk/sGk201wrnC0qk5ySnOqOhUmr6Em+vqJAOs9OK41yWMr3t9msz3RKZTxhfsPjmp
         S3PDw61TttSV1Dr+nM6QPXITDPZP2rn8VWXmdX75JMaDEfMXsXI2XlAtweI7yzmSn9je
         mlk5DgAlsrbn7m1EQRJ5asmPhvFvPceK1f6m1dqoni5+/jAICGXFgO0kQk4vsskLwn1z
         sq5FrmGyFfolzkBWuZRXLPfy2azT2Fu9cLy4ML8ILPAdLxeWeWq6WsWWQC8632Jp9sIE
         /miK3deO4Ovf2PabcPQmHnYu52NHQ0WyD7m2AJ94zIj81rtbepXdeThUJNemB+YoaBMr
         GJpw==
MIME-Version: 1.0
X-Received: by 10.152.20.132 with SMTP id n4mr19409519lae.86.1411728372022;
 Fri, 26 Sep 2014 03:46:12 -0700 (PDT)
Received: by 10.112.108.166 with HTTP; Fri, 26 Sep 2014 03:46:11 -0700 (PDT)
Date: Fri, 26 Sep 2014 13:46:11 +0300
Message-ID: <CAPv8svUmNokpqyVr3OCXMbp+q9ZmVnhDStw5dbZxWadLtnuksw@mail.gmail.com>
To: PHP Developers Mailing List <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e01493b902242bf0503f5a071
Subject: Cases Where Bash Shellshock Does Not Apply (mod_php, php-fpm )
From: mapopa@gmail.com (marius adrian popa)

--089e01493b902242bf0503f5a071
Content-Type: text/plain; charset=UTF-8

Maybe we need an official stance about shellshock

I mainly use php-fpm and mod_php (I didn't used php under cgi for years)

http://jaxbot.me/articles/cases-where-bash-shellshock-is-safe-09-25-2014

http://www.reddit.com/r/programming/comments/2hc1w3/cve20146271_remote_code_execution_through_bash/ckrdqdb

PHP scripts executed with mod_php are not affected even if they spawn
subshells.


https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

--089e01493b902242bf0503f5a071--