Q: shellschock - bash bug

... I'd like to hear what anyone thinks about how this might affect the average Mac user,

It's doesn't affect the average Mac user. If you are running a web server, apply the patch by downloading it from the GNU project archive. If you don't know what that is, how to obtain it, or how to apply it to your server, then you are not affected.

Apple announced they are "working to quickly provide a software update for our advanced UNIX users."

There are plenty of bad things that could happen to a system due to existing vulnerabilities, known or unknown. There is no reason for any more concern today than there has ever been. Bash has been included with OS X for years, perhaps since its inception.

Similar vulnerabilities may also be discovered and exploited, now or in the future. The resulting effects, if there are any, cannot be accurately predicted.

Until then:

• Ignore hyperventilating popular media outlets that thrive by promoting fear and discord with entertainment products arrogantly presented as "news". Learn what real threats actually exist and how to arm yourself against them.
• Do install updates from Apple as they become available. No one knows more about Macs and how to protect them than the company that builds them.

Bash has been included with OS X for years, perhaps since its inception.

Bash was added to OS X in version 10.2 as a replacement for sh which had been zsh.

Thanks. I looked for a reference, do you have one?

Another of various discussions:  CVE-2014-6271 bash vulnerability

Off hand, I don't. I think there may be a reference in some Apple documentation. I remember David Korn's famous statement, "...ksh can safely replace /bin/sh on most systems today unlike zsh which would cause many script to fail in mysterious ways.". Sometime thereafter Apple announced that bash would replace zsh as sh.

I can recall using bash very early, though I am reasonably certain that it was not the default shell until perhaps Jaguar or Panther. In any event it's been included in OS X for a long time, which could be as far back as the initial public beta (please don't make me boot that).

I suggest that you peruse Apple's Darwin source code.

You first.

The open source packages are grouped by project. There is no need to look for the actual source.

Bash 2.0.5a was first included in 10.2.

Bash 3.2 is part of 10.9.

Apple appears to have been applying patches to 3.2 for some time.

I have been running zsh myself.

With no small amusement, I ran a few of the proposed ShellShock tests against KSH, and it is immune.

With Apple's aversion to GPL3, we may see patched versions of Bash 3.2 on OS X for the foreseeable future, while Linux platforms offer Bash 4.3.11 and later. So far, I haven't encountered limitations in Bash 3.2 that block me from my script goals, or interfere with an occasional cross-platform script functionality.

So far, I haven't encountered limitations in Bash 3.2 that block me from my script goals, or interfere with an occasional cross-platform script functionality.

Is mostly good, but I had issues with command line editing back in some previous Mac OS X (Tiger perhaps), so I built and installed bash 4.0.

Then I ended up building and using my 4.0 bash on Solaris and AIX, as the systems I was using at work, were even older versions of bash

I would say the biggest addition to the 4.* series was associated arrays (I had to look that up, as I do not use it in my scripts), and a bunch of other less used things.

I took this opportunity to upgrade to bash 4.3.25

The thing I like the most about bash is "Process Substitution"

while

do

   ...

done <  <(some command)

What this does is allow the 'while' loop to remain in the current script context with any variable changes being seen after the loop ends.  This is vs

some command | while

do

    ....

done

where the 'while' is execute in a subshell and all variable changes remain in the subshell and go away when the 'while' loop ends.

I hope that you don't mind my adding this link...

OS X bash Update 1.0 – OS X Mavericks

About OS X bash Update 1.0

Bob,

Looks like you are committed to Bash 4.x

The following script that incorporates associative arrays and process substitution works fine on Mavericks, and likely ML, and Lion with Bash 3.2.

#!/bin/bash
# Finds and reports Microsoft Document Kinds
# Dependency: Spotlight must have indexed the folders you process
# Author: VikingOSX, 19/08/2014, Apple Support Community


# initialize an array
declare -a msDocs=("Microsoft Word*" "Microsoft Excel*" "Microsoft Power*");
DIR="$HOME/Documents"
OUTDOC="$HOME/Desktop/Wordfiles.txt"
OUTXLS="$HOME/Desktop/Excelfiles.txt"
OUTPPT="$HOME/Desktop/Powerptfiles.txt"


# loop through the array of document kinds
for kind in "${msDocs[@]}"
do
  # process each file from mdfind run
  while read -r filetype
  do


  if [[ "$kind" == *"Microsoft Word*" ]];
  then
  printf "%s\n" "$filetype" >> $OUTDOC
  continue
  elif [[ "$kind" == *"Microsoft Excel*" ]];
  then
  printf "%s\n" "$filetype" >> $OUTXLS
  continue
  elif [[ "$kind" == *"Microsoft Power*" ]];
  then
  printf "%s\n" "$filetype" >> $OUTPPT
  fi


  done < <(mdfind -onlyin "${DIR}" -name 'kMDItemKind == "'"$kind"'"cwd' | sort -d)


done
# release the array
unset msDocs
exit 0

Looks like you are committed to Bash 4.x

Mostly I was committed to working working command line editing on very long lines that wrap across multiple lines, and at the time (Tiger) Mac OS X bash was not cutting it, so that is why I built my own newer bash.

The following script that incorporates associative arrays and process substitution works fine on Mavericks, and likely ML, and Lion with Bash 3.2.

I absolutely love process substitution.  It solved so many problems, where in the past I would have to implement a complex workaround.  When I look at shell scripting books these days, the first thing I do is check if the author has provided any process substitution descriptions and examples.

Your script is good, however, the arrays are the numeric indexed arrays, not associative arrays.  NOTE: I only bash arrays numeric indexed (like I said, I only switched to 4.x because of command line editing, not array features.  Although thinking about is, if I need an associative array, I'm used awk or perl and spit the processed answer out for bash to use.  Maybe I should be thinking about implementing directly in bash.  Interesting).

Here is a simple example of associative arrays in bash (it doesn't really do anything useful, just demos associative arrays):

#!/usr/bin/env bash

declare -A a    # create associative array

a["abc_key"]=def
a["qrs_key"]=xyz

echo "${a[@]}"   # display associative array contents
echo "${!a[@]}"  # display associative array keys
echo "${a["abc_key"]}"  # use key to access value
echo "${a["qrs_key"]}"  # use key to access value

exit

$ bash associative_array_example.sh  # run the example
def xyz
abc_key qrs_key
def
xyz

All of my shell scrips, and I have lots of them (one 13,000 lines long) can run in bash 3.2.  And for all I know, the very long command line editing issues I had back in Tiger have been cured.  But as my 4.x bash isn't broke, and I have copies for Mac OS X, Linux, Solaris, and AIX, it gives me a stable command line environment to work in.