2018-04-06 14:32 GMT+02:00 <[email protected]>: > Hello. > > I see that my patch [1] was overlooked and then [2] was written the next > day.
Removing the feature would create backwards compatibility problems that I would be bugged about for years to come, and I'd rather like to avoid that. > It introduces at least 2 new code executions vulnerabilities relating to > filenames containing $(..). Those vulnerabilities must already be there because popen also invokes the shell. > I would recommend you avoid executing /bin/sh. Yes, that makes sense. Thanks, Andreas
