On 11/09/14 09:01, M Farkas-Dyck wrote: > On 08/11/2014, Rob <[email protected]> wrote: >> I don't know if this is an issue. If a user can run "grep blah /dev/zero" >> then they have shell access anyway, what's to stop them compiling a C >> program that allocates memory in a loop? > > ¬(C compiler). But that is no great hindrance to memory-allocating > denial of service.
A CGI script shouldn't allow you to run arbitrary command lines (unless you've really screwed up) but may operate on arbitrary input, and "grep in a pipeline" isn't ordinarily considered crazy funky coding. Similarly "don't use getline() when implementing httpd or wget to parse http 1.1 reply headers" is actually non-obvious advice... > Yeah, I would deem this Someone Else's Problem. Whose? Rob _______________________________________________ Toybox mailing list [email protected] http://lists.landley.net/listinfo.cgi/toybox-landley.net
