[Users] That won't work.
claws at dragony.name
claws at dragony.name
Sun Oct 11 21:17:37 CEST 2020
>> My solution IS working in that case, but has the stated security problems
>> because claw seems to execute the shell script with the parameters "the
>> easy way".
>
>But it's your script, and your choice. Should a bash shell prevent you from
>running rm -rf /* if that's your choice? Or is a bash a security risk too?
The "rm -rf /*" part is not even arriving at my script, so I can't do anything about it in my script. Is there really nobody here seeing a security risk with |p{/your/program %some_var_with_arbitrary_data} while everything in {} is being passed unquoted to the shell??
Yes, you can say "Then don't pass parameters to your program!" but calling a program without parameters is not very useful in most cases.
- Dragony
More information about the Users
mailing list