> Could you also warn about popen ?
I already added a cross reference from popen(3) to the Caveats section
in system(3). I should have mentioned that before.
> And mention that system(sprintf("command %s")) is a security hole
That seems obviously dangerous. But don't you think it is covered by this text:
Any user input that is employed as part of command should be care‐
fully sanitized, to ensure that unexpected shell commands or com‐
mand options are not executed. Such risks are especially grave
when using system() from a privileged program.
?
> BTW escaping char is hard with shell, better to use execvp
Agreed. I would not attempt escaping. Safer to allow only a whitelist
of permited characters from user input.
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
