Manual and README.md make incorrect claims about ShellShock
Created by: andychu
It is written entirely in Rust, which greatly increases the overall quality and security of the shell, eliminating the possibilities of a ShellShock-like vulnerability , and making development easier.
I believe this statement is incorrect. As far as I can tell, the author of this line is thinking of ShellShock as a memory corruption bug like a buffer overflow. Because Rust protects against buffer overflows, then ShellShock must be impossible.
But ShellShock is not a buffer overflow. It's a string safety bug, more like a "self shell injection" or SQL injection.
You can write ShellShock in any language (Java, Python, etc.). You just look at environment variables (which are untrusted, which will come from HTTP params in CGI) and evaluate shell code in them. Memory safety doesn't prevent this.
https://en.wikipedia.org/wiki/Shellshock_(software_bug)
Do you agree? I suggest removing the lines about ShellShock from the documentation.
I'm planning to write a bunch posts about shell and security on my blog [1], so I don't want to call this out before getting your take on it.