Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
Hi Tomas,
On Fri, Dec 28, 2018 at 12:53:00PM +0000, Tomas Bortoli wrote:
>
> By shell escaping I meant to escape all the special shell characters
> within the input. That'd probably need additional dependencies or a neat
> sanitizer function.
>
> But I was wrong, it's unnecessary as there's no shell interpreter there
> but it's just using `execv` to get rsh/ssh running.
>
> I agree that preventing the injection of spaces will prevent the
> injection of additional parameters and therefore the execution of
> unexpected commands.
>
Thanks for the feedback and confirmation.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: