Bug#882222: Document security problems with system.3 and popen.3 (argument injection)

Wed, 22 Nov 2017 05:07:16 -0800 

On Wed, Nov 22, 2017 at 10:58 AM, Michael Kerrisk (man-pages)
<mtk.manpa...@gmail.com> wrote:
> Hello Tobias, and Bastien,
>
> On 22 November 2017 at 09:52, Dr. Tobias Quathamer <to...@debian.org> wrote:
>> control: severity -1 important
>>
>> Am 20.11.2017 um 12:29 schrieb Bastien ROUCARIES:
>>> Please document the implication of system.3 and popen.3, particularly
>>> argument injection.
>> Hi,
>>
>> thanks for the bug report, I'll take this upstream
>
> I already noticed this Debian bug report, and made a few upstream
> changes. See the Caveats subsection towards the end of the current
> draft in upstream Git:
> https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/tree/man3/system.3
> The main changes were to mention the PATH variable more explicitly and
> to note that one should carefully sanitize the input of system().
>
>> and we'll see how to
>> get this better documented. Do you have a patch ready?
>>
>> Apart from that, I've lowered the severity of this bug. I do not agree
>> with you that this missing documentation is release critical.
>
> I agree. When I look through the source code of Fedora, I see dozens,
> if not hundreds of programs using system(). And I imagine that most of
> them are doing it quite safely. I find the advice given regarding
> system() in the site that you mentioned [1] Bastien is somewhat
> overwrought. (And some of the advice there is I find bizarre[2], which
> makes me a little skeptical about the site generally.) Certainly, one
> should be careful though. (BUt the same is true of any APIs that may
> handle user-supplied input.)


Could you also warn about popen ?

And mention that system(sprintf("command %s")) is a security hole

BTW escaping char is hard with shell, better to use execvp


See private mail
>
> Cheers,
>
> Michael
>
> [1] https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177
> [2] For example,
> https://wiki.sei.cmu.edu/confluence/display/c/SIG34-C.+Do+not+call+signal%28%29+from+within+interruptible+signal+handlers
> seems simply confused.
> --
> Michael Kerrisk
> Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
> Linux/UNIX System Programming Training: http://man7.org/training/

Reply via email to