I think there's an easy way to distinguish "likely problem" from
"likely false positive" in this case. If a shell loops over one value
AND that value is the name a previously-assigned variable, that is
likely a variable name missing its "$". Otherwise it's plausibly a
loop over 1 value (which is a little odd, but not insane and
such a construct is less likely to be an error).

I doubt such a construct often leads to a vulnerability.
It seems like the sort of thing likely to be detected in practically any
testing, since it's deterministic & doesn't depend on attacker input at all.

--- David A. Wheeler

Reply via email to