On 29 September 2014 at 12:18:52 pm, Ewen McNeill (nznog(a)ewen.mcneill.gen.nz) wrote: IMHO, even changing all of your scripts that you don't have time to audit to say "#! /bin/bash" explicitly at the top, and changing your /bin/sh to be something other than bash would be a practical improvement (eg, system() wouldn't be calling bash, and it's less likely bash would be invoked with "untrusted" input). What’s to stop dash, or any other shell, having a similar problem? Seems a reasonable suggestion to stick with what’s getting the most attention from the security angle. Then again, maybe dash will get that now too - is it less code/simpler to audit? To quote an esteemed security chap, who said privately, not necessarily in endorsement of my thoughts above: "you want many eyes argument? there are MANY eyes looking now ;)" -- Nathan Ward