Has been on HN a couple of times in the past, but it's worth a repost.
The takeaway: something isn't a security bug just because you can get a program to misbehave based on user input. It has to lead to a privilege escalation, letting the user do something they couldn't otherwise do (e.g. if the input might come from an untrusted source that couldn't directly just do the thing itself).
Has been on HN a couple of times in the past, but it's worth a repost.
The takeaway: something isn't a security bug just because you can get a program to misbehave based on user input. It has to lead to a privilege escalation, letting the user do something they couldn't otherwise do (e.g. if the input might come from an untrusted source that couldn't directly just do the thing itself).