[bah_humbug]

> resolvconf(8) is a shell script which does not validate its input. A lack of quoting meant that shell commands pass as input to resolvconf(8) may be executed.

The fix consists of implementing an XXX present since the code was added:

    /*
     * XXX validate that domain name only contains valid characters
     * for two reasons: 1) correctness, 2) we do not want to pass
     * possible malicious, unescaped characters like `` to a script
     * or program that could be exploited that way.
     */

https://www.freebsd.org/security/patches/SA-25:12/rtsold.pat...

[jandrese]

It is wild that it was in that state for so long. It probably took just about as long to write that comment as it would have to implement the proper solution.

[apstls]

grep --include=*.{c,h} -rnw -B3 -A15 'XXX' ./ | claude -p 'Analyze each code snippet and pick the five most concerning, from a security perspective.'