The RedHat had a workaround for the Shellshock vulnerability that involves a preload library. The URL for the workaround source code is available at bash_ld_preload.c.
But the workaround steps seem to have gone missing now. Was this a bad solution or no solution?
The code:
#include <sys/types.h>
#include <stdlib.h>
#include <string.h>
static void __attribute__ ((constructor)) strip_env(void);
extern char **environ;
static void strip_env()
{
char *p,*c;
int i = 0;
for (p = environ[i]; p!=NULL;i++ ) {
c = strstr(p,"=() {");
if (c != NULL) {
*(c+2) = '\0';
}
p = environ[i];
}
}
The code given completely removes all exported functions from the environment (or, rather, makes their contents an empty string).
This does have the side effect you want, of making vulnerabilities related to parsing and handling of exported functions moot.