[pbhjpbhj]

What responses does it pass, does it not sanitise them? Can anyone link to details of what DHCP does that's relevant here? Thanks.

[monort]

Looking at http://code.metager.de/source/xref/isc-dhcp-debian/client/dh...

It seems that server_name from DHCP response is passed to environment variable without sanitising.

  3437		if (check_option_values(NULL, DHO_HOST_NAME,
  3438					lease->server_name,
  3439					strlen(lease->server_name)) == 0 ) {
  3440			client_envadd (client, prefix, "server_name",
  3441				       "%s", lease->server_name);

And script that is run after that (dhclient-script) is written in bash at least on Debian.

[isaaccp]

check-option_values() actually checks DHO_HOST_NAME to be only alphanumeric and '.':

See code here: http://lists.alioth.debian.org/pipermail/pkg-dhcp-commits/20...