[Users] That won't work.

claws at dragony.name claws at dragony.name
Sun Oct 11 21:17:37 CEST 2020


>> My solution IS working in that case, but has the stated security problems
>> because claw seems to execute the shell script with the parameters "the
>> easy way".  
>
>But it's your script, and your choice. Should a bash shell prevent you from
>running rm -rf /* if that's your choice? Or is a bash a security risk too?

The "rm -rf /*" part is not even arriving at my script, so I can't do anything about it in my script. Is there really nobody here seeing a security risk with |p{/your/program %some_var_with_arbitrary_data} while everything in {} is being passed unquoted to the shell??

Yes, you can say "Then don't pass parameters to your program!" but calling a program without parameters is not very useful in most cases.

- Dragony


More information about the Users mailing list