undocumented failure mode, possible security issue on mac

[simonmichael]

Ccing here as requested: I just started using req in hledger, and noticed that on mac it runs the security program in PATH (noticed because I was testing with a restricted PATH). Eg this code runs it:

  result <- try $ runReq defaultHttpConfig $ req GET url NoReqBody bsResponse (R.responseTimeout httptimeout)

This is probably the same as kazu-yamamoto/crypton-certificate#9 , reported last year. I figure you and req users should probably be made aware of this for two reasons: it's described as a security problem (because it searches PATH), and it can terminate your program unexpectedly when security isn't found.

[mrkkrp]

Hi, thanks for reporting this. I'll add a note about this in the readme. Do you know what could be done about it on our side? I imagine we get this through eventually depending on crypton-certificate. It is not too clear what they intend to do about it though...