On Thu, 11 May 2006, der Mouse wrote:

> Provided all you pass to system() is the user-provided string

thats exactly it.

> The only one that comes to mind is that this allows the user to run
> arbitrary shell commands.  This is not normally a risk, but if this
> gets used in an environment where some users have restricted shells
> that allow them to execute only certain commands, it could open up a
> way for them to bypass that restriction.

Hm, ok thanks - it wont be any kind of hidden feature, and I guess anybody
setting up such a system would be using a whitelist so should notice it
easily.

iain