> Tony Finch <mailto:[email protected]> > Tuesday, October 14, 2014 5:31 AM > > A CGI script invoked by Apache httpd with HostnameLookups On > (the default is Off, a safer setting is Double) thanks, that makes sense. the security advisory posted here did not mention any real world examples. i agree that apache with HostnameLookups turned on, on redhat or apple systems where /bin/sh is bash, is a real world example.
apparently the apache team believed as i did that no shell would ever eval() its environment variables no matter with or without input checking. the bash team really violated the principle of least astonishment with function inheritance. -- Paul Vixie
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
