Subject: Re: system(3) caveat
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Iain Hibbert <plunky@rya-online.net>
List: tech-userlevel
Date: 05/11/2006 21:44:22
On Thu, 11 May 2006, der Mouse wrote:

> Provided all you pass to system() is the user-provided string

thats exactly it.

> The only one that comes to mind is that this allows the user to run
> arbitrary shell commands.  This is not normally a risk, but if this
> gets used in an environment where some users have restricted shells
> that allow them to execute only certain commands, it could open up a
> way for them to bypass that restriction.

Hm, ok thanks - it wont be any kind of hidden feature, and I guess anybody
setting up such a system would be using a whitelist so should notice it
easily.

iain