On 30.11.2015 23:05, Kenneth Loafman wrote:
> The whole idea of shell code injection implies bad player access, which is
> the issue that should be most important to close.
we backup to potentially insecure backends. that's what the encryption is for ;).. in theory a malicious party could fiddle with the file names on the backend and i am pretty sure no one tested this possibility with shell based backends so far wrt. shell injections.
so actually, disagreed. but as usual, it will be done if somebody does it ;) not earlier.
On 30.11.2015 23:05, Kenneth Loafman wrote:
> The whole idea of shell code injection implies bad player access, which is
> the issue that should be most important to close.
we backup to potentially insecure backends. that's what the encryption is for ;).. in theory a malicious party could fiddle with the file names on the backend and i am pretty sure no one tested this possibility with shell based backends so far wrt. shell injections.
so actually, disagreed. but as usual, it will be done if somebody does it ;) not earlier.
btw. python pexpect seems to shlex.split() too if it isn't provided a list of arguments /github. com/pexpect/ pexpect/ blob/master/ pexpect/ popen_spawn. py#L42
https:/
..ede/duply.net