Problem with exec shell_escape option
Brian Candler
b.candler at pobox.com
Thu Dec 22 12:54:06 CET 2016
On 21/12/2016 18:51, Alan DeKok wrote:
> It should work. I'll see if I can add some tests.
Thank you.
> But in general, passing user input to an exec'd program is a bad idea. It's useful, but there are just too many opportunities for the user to do something bad.
Sure.
The external password change program I've written isn't a shell script.
As far as I can tell from source: the 'exec' xlat expansion ultimately
calls execve(prog, args), i.e. it doesn't invoke a shell itself. Is
that right?
Cheers,
Brian.
More information about the Freeradius-Users
mailing list