On Tue, Feb 07, 2017 at 06:37:09PM +0000, Jesse Schulman wrote: > Thank you for the update, we are running the patch Thierry provided with > success, but we only do a lua call within the %[] almost identically to the > simple reproducer I provided. I *think* we are safe considering we don't > do any redirect in the way that your (Willy's) reproducer is doing it.
OK that's fine but be careful, any implicit type cast or any converter involving a string can simply break with this patch. It may be fine in your specific use case but I'm saying this so that others don't blindly apply it. > We will definitely look to upgrade to the next available stable version > that includes the proper fix. I now see how to address it in a future-proof way that will also help us close this thing for other existing areas and possibly future designs. It should be done by tomorrow (I hope so). Thanks, Willy
