https://issues.dlang.org/show_bug.cgi?id=15584
--- Comment #6 from Cédric Picard <cpic...@openmailbox.org> --- @ketmar This not an issue about executing code. This is a case where the victim doesn't have to execute *any* line of the given program, not one line, compiling it is enough to be attacked. Besides even if it were about executing code note that we already decided that as long as it is in the compilation process it was an issue. Otherwise why did we bother enforce that the compiler can't read or write arbitrary files during CTFE? Isn't it because we know that we can't expect the user to carefully read every line of the code he is compiling and that the compiler had some responsability reguarding this in the compilation process? I stand on my position, an attack is possible that requires only to run the compiler without passing it any special argument, without executing any script and without executing the resulting program. It is of the responsability of the compiler. --