-DGAPING_SECURITY_HOLE is how you have to compile nc in order to enable "-e" sup... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

cyphar on June 5, 2019 | parent | context | favorite | on: Vim/Neovim Arbitrary Code Execution via Modelines

-DGAPING_SECURITY_HOLE is how you have to compile nc in order to enable "-e" support. The gaping security hole is that it is literally RCE-as-a-feature -- yes, it's not as bad as "pass any text you get over this socket to a shell session" but it's still pretty bad.

FDSGSG on June 5, 2019 [–]

There is no security hole, -e isn't pretty bad.

Bjartr on June 5, 2019 | [–]

He's not being facetious by saying -DGAPING_SECURITY_HOLE, that is literally the flag you need to set when compiling nc to use the -e flag.

https://android.googlesource.com/platform/external/netcat/+/...

FDSGSG on June 10, 2019 | | [–]

I know that's the flag you need to set, but despite the name setting the flag does not introduce any kind of a security hole.

Consider applying for YC's Summer 2025 batch! Applications are open till May 13
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact