Hi, Martin Uecker: > While everybody is looking at bash, isn't this the real the > injection part? Why are there still programs which copy stuff > from the network into environment without proper sanitation?
Probably either sheer laziness, or for the usual, misguided-these-days
(IMHO) "be lenient in what you accept" reason.
In any case, there are a bunch of crazy URL schemes out there,
so who are you to decide that PATH_TRANSLATED="() {:;};rm -rf $(ls /)"
is unreasonable? Literally all of these characters occur in actual
real-world URLs, and RFC 3875 explicitly says that it may contain "any
character".
--
-- Matthias Urlichs
signature.asc
Description: Digital signature
