Dear R Developers,
The documentation for "system2" only defines "args" as
args: a character vector of arguments to 'command'.
This encourages the reader to think that R's system2 interface is passing its
arguments unchanged to exec().
But I was surprised to find that under the hood, you're just pasting my
arguments together and sending them to a subshell to be re-parsed:
command <- paste(c(env, shQuote(command), args), collapse = " ")
What horror! Please fix or document the fact that system2 executes its
ARGUMENTS and not just the command.
Aside from being relevant to data scientists, it's a big security hole. It
means that, in some cases, something that looks like plain text in my R code
will end up being executed as a command on my system, which seems dangerous to
me.
> my_data=c("<(>&2 echo oops)")
> system2("echo",args=my_data)
/dev/fd/63
oops
Thank you,
Frederick
______________________________________________
R-devel@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel
