GitHub RCE by Environment variable injection Bug Bounty writeup

I decided to actually read man ld.so and came across this:<p><pre><code> --ignore-rpath LIST Ignore RPATH and RUNPATH information in object names in LIST. This option has been supported by glibc2 for about one hour. Then it was renamed into: --inhibit-rpath LIST </code></pre> I&#x27;m not sure if it&#x27;s a joke or an incredible testament to backwards compatibility.<p>I&#x27;ve been writing a COFF linker recently, and have been reading lots of comments and man pages about linkers and loaders. The more i read, i think dynamic linking isn&#x27;t such a good idea after all.

They must&#x27;ve expected usernames to not contain anything other than alphanumeric characters... this is yet another example of the fact that if you write code that consumes external, untrusted input, always expect every single byte value from 0 to 0xFF could be present, and deal with them accordingly.

We prevent this specific attack in Kiln by only allowing specific environment variables to be set.

Any idea what the bounty was for this finding?

Will this affect bitbucket as well?