mengww
mengww
Code injection could happen via environment variable. In code [here](https://github.com/Kedreamix/Linly-Talker/blob/c7be21b1b83d6ba227aa6f71bcb1874ee709baec/GPT_SoVITS/inference_webui.py#L51), it directly eval the value from environment variable. A malicous local actor could set something like `export is_half='os.system("touch rickroll")'` to...