| ▲ | x3n0ph3n3 2 hours ago | |||||||
Same thing happens if I have a: 1) PS1 that displays the current git branch 2) Include the current directory in my PATH Should we file a high severity CVE with bash now? | ||||||||
| ▲ | loumf 2 hours ago | parent | next [-] | |||||||
It’s been known for decades that you should never put your current directory in your PATH. There are endless opportunities for vulnerabilities then. I learned this in college in the 80’s (by not following it and getting owned). | ||||||||
| ▲ | jwolfe 2 hours ago | parent | prev | next [-] | |||||||
If bash placed the current directory in your PATH by default, then yes. | ||||||||
| ||||||||
| ▲ | Firehawke an hour ago | parent | prev | next [-] | |||||||
Not with bash. If your distro is putting ./ into the path then that's absolutely a high severity CVE with your distro's config. | ||||||||
| ▲ | shitter 2 hours ago | parent | prev [-] | |||||||
I would file a CVE for any program that places untrusted content into PATH and invokes non-fully qualified executable names - not for the shell. | ||||||||