Has been on HN a couple of times in the past, but it's worth a repost.

The takeaway: something isn't a security bug just because you can get a program to misbehave based on user input. It has to lead to a privilege escalation, letting the user do something they couldn't otherwise do (e.g. if the input might come from an untrusted source that couldn't directly just do the thing itself).