2018-04-06 14:32 GMT+02:00  <ra...@airmail.cc>:
> Hello.
>
> I see that my patch [1] was overlooked and then [2] was written the next
> day.

Removing the feature would create backwards compatibility problems
that I would be bugged about for years to come, and I'd rather like to
avoid that.

> It introduces at least 2 new code executions vulnerabilities relating to 
> filenames containing $(..).

Those vulnerabilities must already be there because popen also invokes
the shell.

> I would recommend you avoid executing /bin/sh.

Yes, that makes sense.

Thanks,
Andreas

Reply via email to