severity 259987 important tags 259987 +security thanks Here is an example: $ touch "ddd&echo crap" $ aspell check ddd<TAB>
This completes to: $ aspell check ddd&echo crap The user expects tab-completion to safely escape file names, and thus it is quite possible he won't notice it failed to, and thus execute an arbitan arbitrary command. Remember this could be burried deep inside a long file name to make it much less likely for the user to notice. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
