* Karl Williamson <public@khwilliamson.com> [2015-10-13 19:25]: > On 10/13/2015 03:13 AM, Aristotle Pagaltzis wrote: > > You brought this up multiple times. > > Huh!? Unless I'm losing my mind, this thread is the only time I've > ever posted on this. And unless I'm conflating this with something > else, the only other time I've mentioned this at all was shortly > before the original post, when I asked a question about it on #irc, > and Zefram and I quickly concluded it was best handled via email; > hence this thread. Sorry. I thought I had seen you propose this twice on this thread. You mentioned it on IRC as well; possibly you also mentioned it only once there, and my impression that you had suggested it more than once there too was equally mistaken. Too lazy to check. :-) So it felt to me like you were re-proposing this repeatedly in the face of disagreement from multiple sides, and as it seemed an evidently bad idea to me as well, I wondered what on Earth could be compelling you. But you are right: on second look, none of that took place. My bad. > So of course I haven't thought this through. I said I was asking for > guidance. And I did state my premise there. Well you didn’t state your premise for doing what you weren’t actually doing. ;-) Anyway, on the subject itself, as I said, the fact that it’s possible to get shell command invocation out of glob() at all is – inarguably, to my mind – a security vulnerability. And the reason PERL_EXTERNAL_GLOB even exists seems to be hysterical raisins. Maybe it’s time to revisit that and get rid of it. > And I'm certainly not persistently advocating for anything. Yes; sorry about that. Regards, -- Aristotle Pagaltzis // <http://plasmasturm.org/>Thread Previous | Thread Next