The curious case of shell commands, or how "this bug is required by POSIX"
a year ago
- #shell-scripting
- #system-calls
- #security
- The article discusses the issues with tools that delegate command execution to `system(3)` and `sh -c`, leading to potential shell injection vulnerabilities.
- Common tools like `ssh`, `watch`, and `i3` are highlighted for their misleading behavior in handling commands and arguments.
- The article provides a detailed analysis of the `system(3)` function and its implications, including examples of how command arguments can be mishandled.
- Solutions and workarounds are suggested, such as proper quoting and escaping of commands and arguments, and using `exec --` to avoid misinterpretation of commands as options.
- A 'Wall of Shame' lists tools and libraries that expose unsafe behavior, while a 'Wall of Fame' praises those that handle command execution safely.
- A critical bug in `system(3)` implementation is discussed, where commands starting with a hyphen can be misinterpreted as options, leading to unexpected behavior.
- The author has reported these issues to relevant projects and standards bodies, emphasizing the need for safer defaults and better documentation.