On Thu, Jun 12, 2008 at 03:43:36AM -0400, Peter Memishian wrote: > > > > * Use of eval presents a significant security risk: any command > > > where a non-privileged user might gain control over any field's > > > value makes eval as root (say, in an admin script) unsafe. > > > > To avoid this do: a) quote '$', '`' and a few other unsafe characters, > > b) instruct developers to disable globbing prior to evaluating this > > output. It should be possible to make dladm's output eval safe (and if > > not then let's find out why not). > > Please, let's not. The eval approach seemed clever at the time, but in > retrospect it was a mistake.
Because it was incomplete.
