On Fri, Jul 14, 2023 at 3:08 AM Dusk <d...@woofle.net> wrote: > 2) These expansions should probably be disabled by INI_SCANNER_RAW; that > flag already disables certain other types of value interpolation. (Oddly, > it doesn't disable expansion of constants either; that might be worth > revisiting as well.)
Environment variable parsing is already disabled by INI_SCANNER_RAW mode, isn't it? Personally I don't think the default/normal mode should behave differently. If you're passing untrusted input to parse_ini_string, you should be sanitizing, white listing or using raw mode anyway really.
