How, in this century, did anyone think passing http url params as env vars was an acceptable design? Fix is incomplete & goahead is unfixable.https://twitter.com/elttam/status/942630494054752256 …
Blocking LD_PRELOAD is a band-aid for one of the worst environment-control-based attack vectors. But there are unboundedly many possible attacks.
-
-
... assuming an unbounded space of env vars might influence the exec'd program? I agree that arbitrarily blocking LD_PRELOAD is a band-aid. But env vars are just inputs... why deprecate wholesale just because a few of them have huge effect on ld.so? Systematic fix feels possible
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.