Date: Wed, 25 Oct 1995 19:55:45 -0700 From: David Greenman <davidg@Root.COM> To: Michael Smith <msmith@atrad.adelaide.edu.au> Cc: dab@berserkly.cray.com (David Borman), hartmans@mit.edu, security@freebsd.org Subject: Re: telnetd fix Message-ID: <199510260255.TAA02836@corbin.Root.COM> In-Reply-To: Your message of "Thu, 26 Oct 95 12:02:58 %2B0930." <199510260232.MAA09332@genesis.atrad.adelaide.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
>> 3) Provide a configuration file for telnetd to >> custom tailor the "safe" variable list, along >> with other configuration information. > >But aren't you addressing the _wrong_ side of the problem? It's not >random environment variables that are the danger, but a _specific_ (small) >set. Why not provide a customisable list of variables that are _not_ >permitted? This avoids all of the encoding/decoding cruft, and achieves >that same goal, does it not? The list for exclusion is long and almost guaranteed to be incomplete. It seems to keep growing daily. -DG
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199510260255.TAA02836>