Package: netstd Version: 2.06-1 Right now, telnetd checks for a few dangerous environment variables. I think it should do what telnetd in NetKit-0.08 does: only allow a few variables which are known to be safe, and don't allow any others. The problem is that you never know that the list of the dangerous variables is complete.
For example, we check for ENV, but not for BASH_ENV (mentioned in the bash man page in one place - GNU creeping featurism strikes again, argh), and also not for RESOLV_HOST_CONF and a few others. NetKit-0.08 telnetd only allows DISPLAY, TERM, USER, LOGNAME and POSIXLY_CORRECT. I think we should do the same (ideally, the list should be made configurable without recompiling, but that can be done later). Marek
