[
https://issues.apache.org/jira/browse/MESOS-6235?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15515344#comment-15515344
]
Jie Yu commented on MESOS-6235:
-------------------------------
commit 4390d2fd56da2124c9762190fc931c3fed433df4
Author: Kevin Klues <klue...@gmail.com>
Date: Thu Sep 22 20:45:52 2016 -0700
Added 'os::spawn()' to stout as 'argv' counterpart to 'os::system()'.
Review: https://reviews.apache.org/r/52184/
> Add 'argv' variant of 'os::system'
> ----------------------------------
>
> Key: MESOS-6235
> URL: https://issues.apache.org/jira/browse/MESOS-6235
> Project: Mesos
> Issue Type: Task
> Reporter: Kevin Klues
> Assignee: Kevin Klues
> Fix For: 1.1.0, 1.0.2
>
>
> The {{os::system()}} function always spawns whatever string you pass to is a
> a direct argument to {{sh -c '<arg_string>'}}. However, this can be
> problematic if you build {{<arg_string>}} from user supplied input and they
> have the opportunity to inject arbitrary commands at the end of it (e.g. by
> adding a "; rm -rf" as part of the last user supplied argument).
> To counter this, we should introduce a variant of {{os::system()}} that takes
> a single command and a list of args (similar to the {{posix_spawn()}}
> function.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
