fedora-review: 'Illegal return' warnings

Florian Weimer fweimer at redhat.com
Sun Oct 5 15:15:51 UTC 2014

On 10/04/2014 10:18 PM, Alec Leamas wrote:
> Hm.... seems that recent bash patch to fix the shellshock problem
> introduces this. Fedora-review relies on exported shell functions
> (export -f) and the bash fix changes the syntax for exported functions
> in an incompatible way.

It's the attempt at cleaning up the environment, see 

unset $(env | sed -n 's/=.*//p')

With exported functions, that was fairly broken before (with multi-line 
function definitions and “=” somewhere in the body), but after the bash 
change, this is much more obvious and is even triggered by the exported 
function in the environment-modules package.  It would have been 
preferable to clean the environment either in the Python code, or wrap 
the shell invocation with “env -i”.

I still hope we can agree with upstream on another bash change which 
hides these bugs again, but it's difficult to separate this aspect from 
the security/hardening discussions which generate much more interest, 
overshadowing anything else.  (Upstream's “%%” would have generated 
errors here as well.)

By the way, it doesn't seem to me fedora-review needs exported 
functions, the function definitions are sourced as needed, so they don't 
have to be in the environment.

Florian Weimer / Red Hat Product Security

More information about the devel mailing list