On Tue, Jan 17, 2012 at 07:51:12AM +0100, Richard Braun wrote: > On Tue, Jan 17, 2012 at 03:03:19AM +0100, Laurent Bercot wrote: > > Yes, and that's not a problem. system() is a horrible interface > > anyway, if only because of the automatic shell invocation and > > parsing; no self-respecting Unix programmer should ever use it. > > system() needs to be implemented for pure standards conformance, > > but it can be done as it was conceived, i.e. as a quick and dirty > > hack. Please, don't spend more time on it than strictly necessary > > and keep your brain power available for more interesting parts of > > the libc. > > This is probably why this bug was overlooked for so long. Unfortunately, > it's become more or less common practice in companies I've been working > at, which is how I catched it (just to insist on the fact I don't > personally use system() to anyone who can hire ;-)).
These sound like companies whose products should be avoided. ;-) In all seriousness, any program using system() almost surely has very buggy, and likely vulnerable, corner cases that will break horribly on odd filenames, etc. There's almost never an instance of system() that should not be replaced with posix_spawn+waitpid. Rich _______________________________________________ uClibc mailing list [email protected] http://lists.busybox.net/mailman/listinfo/uclibc
