On 5/9/17 12:41 AM, Eduardo Bustamante wrote:
> On Mon, May 8, 2017 at 3:09 PM, Chet Ramey <chet.ra...@case.edu> wrote:
>> There's no compelling reason to disallow it. If a system administrator
>> wants to unbind certain readline commands (and unset INPUTRC!) to protect
>> against a specific use case, he is free to do that.
>
> I agree. I changed my mind after sending that email. I still think it
> would be prudent to mention this in the docs somewhere. Perhaps a
> section on "security notes" in the manual/reference? or a mention in
> the FAQ?
[...]
> I couldn't find any decent reference online that mentions a few of the
> "traps" that bash has in regards to secure programming (e.g. "don't
> evaluate user supplied input in arithmetical contexts without
> sanitizing!", "be careful with SHELLOPTS/xtrace/PS4!", "don't use read
> -e unless you trust the user supplying the info or know how to plug
> the holes", "don't evaluate user supplied regular expressions!")
This would be a great project for someone who wanted to help.
Chet
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU c...@case.edu http://cnswww.cns.cwru.edu/~chet/
