Hello Tobias, and Bastien, On 22 November 2017 at 09:52, Dr. Tobias Quathamer <to...@debian.org> wrote: > control: severity -1 important > > Am 20.11.2017 um 12:29 schrieb Bastien ROUCARIES: >> Please document the implication of system.3 and popen.3, particularly >> argument injection. > Hi, > > thanks for the bug report, I'll take this upstream
I already noticed this Debian bug report, and made a few upstream changes. See the Caveats subsection towards the end of the current draft in upstream Git: https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/tree/man3/system.3 The main changes were to mention the PATH variable more explicitly and to note that one should carefully sanitize the input of system(). > and we'll see how to > get this better documented. Do you have a patch ready? > > Apart from that, I've lowered the severity of this bug. I do not agree > with you that this missing documentation is release critical. I agree. When I look through the source code of Fedora, I see dozens, if not hundreds of programs using system(). And I imagine that most of them are doing it quite safely. I find the advice given regarding system() in the site that you mentioned [1] Bastien is somewhat overwrought. (And some of the advice there is I find bizarre[2], which makes me a little skeptical about the site generally.) Certainly, one should be careful though. (BUt the same is true of any APIs that may handle user-supplied input.) Cheers, Michael [1] https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177 [2] For example, https://wiki.sei.cmu.edu/confluence/display/c/SIG34-C.+Do+not+call+signal%28%29+from+within+interruptible+signal+handlers seems simply confused. -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/
