Subject: Re: system(3) caveat
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Iain Hibbert <firstname.lastname@example.org>
Date: 05/11/2006 21:44:22
On Thu, 11 May 2006, der Mouse wrote:
> Provided all you pass to system() is the user-provided string
thats exactly it.
> The only one that comes to mind is that this allows the user to run
> arbitrary shell commands. This is not normally a risk, but if this
> gets used in an environment where some users have restricted shells
> that allow them to execute only certain commands, it could open up a
> way for them to bypass that restriction.
Hm, ok thanks - it wont be any kind of hidden feature, and I guess anybody
setting up such a system would be using a whitelist so should notice it