system() & user input

Pavel Roskin proski at gnu.org
Mon Sep 9 16:24:06 UTC 2002


Hello!

> There are some user unchecked and unquoted input there
> (subject, to and copy in the pipe_mail(), sort option in the 
> edit_sort_cmd() and filename itself in the edit_block_process()).
> I don't like to see bug report about something like 'I formatted file 
> `echo rm -rf /*`.c and I loss my system after it' or so on.  It seems we 
> need to quote such user input or use fork()+execvpe() for such cases.

You are right, we should not use system() unless the user expects the 
shell to interpret the commands, which is not the case in either of those 
functions.

I don't think those bugs can be actually exploited, but writing quoted
"some_command; rm -rf /" in the subject of e-mail can be a problem, and it
can really happen.

I actually don't understrand the reason why mc_doublepopen() uses two
forks.  The comment doesn't say anything about it.  I'd like to see more
unified approach to running external programs.

-- 
Regards,
Pavel Roskin




More information about the mc-devel mailing list