Roland Mainz wrote on 05/29/09 15:39:
>> If we're going to *parse* commands using spaces or what not, I vote >> no, right now! > > I agree with Casper... we had that kind of proposal with |exec_system()| > a while ago (AFAIK in security-discuss at opensolaris.org) and that > proposal was "eaten&&trampled alive" (there should be always an option > to pass _any_ content (except '\0') via arguments and environment > variables and using a whitespace character for argument splitting > violates that). > Yes, we did have that discussion with exec_system(). Going by the popular vote at that time from the folks on [security-discuss], I revised it to provide the two extended interfaces (_x and _xv) in addition to the simpler system_noshell() function. If the arguments contain any special characters like quotes (or anything for that matter), the extended interfaces should be used. -Sumanth
