On 2014-09-26 09:19:17 +0200, Samuel Thibault wrote: > Nikolaus Rath, le Thu 25 Sep 2014 17:26:40 -0700, a écrit : > > Wasn't there some web server that used to put query script variables > > into the environment of the CGI script? > > Well, that ought to have been fixed a long time ago already, > otherwise you could have injected all sorts of LD_*.
It depends on the environment variable names. Names with lowercase characters, such as "exec", are safe, since for application usage only[*]. Well... actually not with bash! [*] http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
