|
| From: | Random832 |
| Subject: | Re: [PATCH] Add shell-quasiquote. |
| Date: | Mon, 19 Oct 2015 09:48:25 -0400 |
| User-agent: | Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) |
address@hidden (Taylan Ulrich "Bayırlı/Kammer") writes: > It was not criticism of shell-quote-argument (those are separate). > Indeed it quotes arguments. My variant also quotes things that may be > the name of the command and not an argument. But why does it *need* to? Do you realize that you are now suggesting an injection scenario whereby the attacker is _legitimately_ permitted to supply an arbitrary string for an ordinary command to be executed, but somehow letting them execute "if" [which will be a syntax error anyway since they can't supply the then/fi as separate statements] becomes a security hole?
| [Prev in Thread] | Current Thread | [Next in Thread] |