Heh, this whole thing is getting silly.
Yes, it is. Very.
Everyone has pointed out that there shouldn't be a remote code execution vulnerability in the code, it makes all the users of the software vulnerable to attack. Even if rico666 doesn't abuse this at some point, if anyone breaks into the server, they can use it to do anything they want on all of the users machines.
If someone breaks into the server (and this goes undetected for a while). Unlikely, but never say never.
Still, an attacker could not do "anything they want on all of the users machines".
Stop spreading the FUD or end of discussion. You mention sandboxed environment yourself down below, so drop the tragic tone.
That said, it's apparent rico666 isn't interested in resolving the issue, and will continue to ship code with a RCE vulnerability, despite being told be the general masses
The general masses are wrong on this issue. rico666 has asked for an alternative form of validation, and the general masses may educate themself on the theoretical problem behind the whole matter. When the general masses have achieved at least basic knowledge of this issue - a pretty standard topic in computer science - the general masses may shut up because of understanding the matter.
that this is unacceptable. The simple answer now is that users of the software need to be aware of what they are signing up for, and the risks it entails. As such, the simple answer is unless you have a strongly sandboxed environment to run this code in and understand the risks fully, I wouldn't recommend running it at all.
Babbling is unacceptable. There is a big fat warning and disclaimer on the download page. Potential MiTM issues will have been addressed and will be fixed in the next release.
So yes, your last statement is merely repeating what the
download page, the
On LBC Security page and many other pages say.