Has been on HN a couple of times in the past, but it's worth a repost.
The takeaway: something isn't a security bug just because you can get a program to misbehave based on user input. It has to lead to a privilege escalation, letting the user do something they couldn't otherwise do (e.g. if the input might come from an untrusted source that couldn't directly just do the thing itself).
1 comment
[ 4.6 ms ] story [ 17.0 ms ] threadThe takeaway: something isn't a security bug just because you can get a program to misbehave based on user input. It has to lead to a privilege escalation, letting the user do something they couldn't otherwise do (e.g. if the input might come from an untrusted source that couldn't directly just do the thing itself).