On 29 September 2014 14:03, arisawa wrote: > today, we have a number of malicious request to our web server. > assume a web server accept a request with a query > query='fn#foo=fn%20foo%20{echo%20yes};%20echo%20no%0a’ > but why should a web server put arbitrary data from a remote user unrestrained into the environment? even if rc used a restricted parser, as it stands you could still write fn#cd=fn%20cd%20{do_horrible_thing} and it would stand a good chance of doing the horrible thing if the web server runs a shell script that does a cd. really, as with Apache, the problem is the uncritical nature of the web server. it's probably reasonable to have rc use a parser that accepts only functions, but that's for precision, not to fix a security problem elsewhere.