On Fri, Feb 05, 2016 at 09:22:43AM +0100, Dmitrij D. Czarkoff wrote: > Marc Espie said: > > On Fri, Feb 05, 2016 at 02:14:54AM +0300, Vadim Zhukov wrote: > > > 2016-02-05 2:03 GMT+03:00 Dmitrij D. Czarkoff <czark...@gmail.com>: > > > > Michael Seyfert said: > > > >> I'm trying to get this into the ports tree yet again. > > > >> > > > >> MOC is a console audio player with simple ncurses interface. It > > > >> supports OGG, WAV, MP3 and other formats. Just run mocp, go to some > > > >> directory using the menu and press enter to start playing the file. > > > >> The program will automatically play the rest of the files in the > > > >> directory. > > > > > > > > I added a patch to use file(1) instead of libmagic and marked this port > > > > as SHARED_ONLY. > > > > > > > > Comments? OKs? > > > > > > Why not just use fork+exec, without need to care about escaping anymore? > > > > > > -- > > > WBR, > > > Vadim Zhukov > > > > Yep, definitely NOT OKAY. > > popen is a *broken* interface. > > > > Do not ever use it; > > Good to know. Maybe manual for popen should explain the reasons?
It does. In BUGS. The popen() argument always calls sh(1). so you have to jump thru hoops to try to sanitize stuff coming from outside, ultimately failing. Admittedly, system(3) does a better job of explaining it.
