|
|
|
|
|
|
by monort
4288 days ago
|
|
|
Looking at http://code.metager.de/source/xref/isc-dhcp-debian/client/dh... It seems that server_name from DHCP response is passed to environment variable without sanitising. 3437 if (check_option_values(NULL, DHO_HOST_NAME,
3438 lease->server_name,
3439 strlen(lease->server_name)) == 0 ) {
3440 client_envadd (client, prefix, "server_name",
3441 "%s", lease->server_name);
And script that is run after that (dhclient-script) is written in bash at least on Debian. |
|
|
See code here: http://lists.alioth.debian.org/pipermail/pkg-dhcp-commits/20...