Hello Bastien
On 22 November 2017 at 14:53, Bastien ROUCARIES
<roucaries.bast...@gmail.com> wrote:
> On Wed, Nov 22, 2017 at 2:45 PM, Michael Kerrisk (man-pages)
> <mtk.manpa...@gmail.com> wrote:
>>> Could you also warn about popen ?
>>
>> I already added a cross reference from popen(3) to the Caveats section
>> in system(3). I should have mentioned that before.
>>
>>> And mention that system(sprintf("command %s")) is a security hole
>>
>> That seems obviously dangerous. But don't you think it is covered by this
>> text:
>>
>> Any user input that is employed as part of command should be care‐
>> fully sanitized, to ensure that unexpected shell commands or com‐
>> mand options are not executed. Such risks are especially grave
>> when using system() from a privileged program.
>> ?
>
> Yes but does not avoid tentation do use escape character
>>
>>> BTW escaping char is hard with shell, better to use execvp
>>
>> Agreed. I would not attempt escaping. Safer to allow only a whitelist
>> of permited characters from user input.
>
> Could you therefore add:
> It is particularly hard to escape argument portably on all the POSIX
> system, including shell variation. It is safer to allow only a
> whitelist
> of permited characters from user input, taking care to use sane IFS.
> Only alphanum character with _ @ - are believed to be safe
Do you have some supporting evidence for that last line. That's an
extremely conservative set. It excludes URLs, for instance.
Thanks,
Michael
> If you need to escape better to use execvp.
>
> Please add also a warning about IFS
>
>
>>
>> Cheers,
>>
>> Michael
>>
>> --
>> Michael Kerrisk
>> Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
>> Linux/UNIX System Programming Training: http://man7.org/training/
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
