chip@tct.uucp (Chip Salzenberg) (05/03/90)
[Unix-specific; followups to comp.unix.questions]
According to dkeisen@Gang-of-Four.Stanford.EDU (Dave Eisen):
>system ("command > /dev/null 2>&1");
Beware system(). It calls /bin/sh to do its dirty work, which is one
reason it's so attractive to novice Unix programmers. However, if
anything in the command line is non-constant, then system() usally is
a security hole. Ignoring buffer size issues for the moment,
consider:
sprintf(buf, "/usr/lib/sendmail -oem '%s' <%s", address, tempfile);
system(buf);
Looks great, right? But what if the address is "'; rm -rf $HOME; '"?
Bzzt! You lose the security sweepstakes. I hope you have backups...
--
Chip Salzenberg at ComDev/TCT <chip%tct@ateng.com>, <uunet!ateng!tct!chip>brnstnd@stealth.acf.nyu.edu (05/08/90)
In article <26405616.54D3@tct.uucp> chip@tct.uucp (Chip Salzenberg) writes: > According to dkeisen@Gang-of-Four.Stanford.EDU (Dave Eisen): > >system ("command > /dev/null 2>&1"); > Beware system(). [ points out security problems ] > sprintf(buf, "/usr/lib/sendmail -oem '%s' <%s", address, tempfile); > system(buf); system() can be used safely. First, make sure your environment is controlled. Second, add the address and the temporary file to the environment. Finally, use system("exec /usr/lib/sendmail -oem \"$ADD\" < \"$TEMPFILE\""); Spawning the process yourself is better, but as Chip points out, system() is simpler for novices. Caveat: I haven't tested this. ---Dan