From 0adf5c56a1de4367df654a533e8ab1f516c8e065 Mon Sep 17 00:00:00 2001
From: "Manuel Amador (Rudd-O)" <rudd-o@rudd-o.com>
Date: Wed, 10 Feb 2016 02:37:33 +0000
Subject: [PATCH] add security note to bombshell-client

---
 bin/bombshell-client | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/bin/bombshell-client b/bin/bombshell-client
index de2c504..98be6de 100755
--- a/bin/bombshell-client
+++ b/bin/bombshell-client
@@ -1,6 +1,15 @@
 #!/usr/bin/python -u
 
 import cPickle
+# Security note:
+#
+# If you look at cPickle usage in bombshell, it's only used to package up
+# the command line at the initiator side, and then it is unpacked at the
+# receiver side.  Given that the initiator has already been given all
+# permissions to run arbitrary programs on the receiver, there is no
+# additional security risk posed by the use of cPickle.
+#
+# End security note.
 import contextlib
 import fcntl
 import os