Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
On Fri, Dec 28, 2018 at 12:53:00PM +0000, Tomas Bortoli wrote:
> By shell escaping I meant to escape all the special shell characters
> within the input. That'd probably need additional dependencies or a neat
> sanitizer function.
> But I was wrong, it's unnecessary as there's no shell interpreter there
> but it's just using `execv` to get rsh/ssh running.
> I agree that preventing the injection of spaces will prevent the
> injection of additional parameters and therefore the execution of
> unexpected commands.
Thanks for the feedback and confirmation.
Roberto C. Sánchez