|
|
|
|
|
|
by manjalyc
6 days ago
|
|
|
On the other hand, seperating concerns by process boundaries leads to more secure, composable and stable code. By not reinventing the wheel, you avoid a whole class of problems. Of course a stable API or library might be better, but convenience always wins out. |
|
|
Ever noticed that docker (and k8s) accept command line as an array? That's the way to go. It does not expand any env variables, path expansions (.. or *). Like
But people hack it in order to get shell features, and that is the failure I mean: the second example runs shell, and shell is for humans, so is vulnerable to the attacks above.