CGI::Application and recent bash security hole

Dagfinn Ilmari Mannsåker ilmari at
Thu Sep 25 17:50:54 BST 2014

[Sorry for the empty response, I fat-fingered]

gvim <gvimrc at> writes:

> I built a site several years ago with CGI::Application which runs in
> cgi, not psgi mode. Is it likely to be vulnerable to the recent bash
> security hole which I understand revolves around setting ENV variables?

If you ever end up invoking bash you will be vulnerable, since CGI
passes the HTTP headers as HTTP_* environment variables.

Remember that Perl's system()¹ , as well as C's system() and popen()
invoke /bin/sh, which may or may not be bash (it is on RedHat-like
systems, but not on Debian-like systems, for example).

[1]: If it's passed a single argument which contains shell metacharacters

- Twitter seems more influential [than blogs] in the 'gets reported in
  the mainstream press' sense at least.               - Matt McLeod
- That'd be because the content of a tweet is easier to condense down
  to a mainstream media article.                      - Calle Dybedahl

More information about the mailing list