[External] security holes in system2
I think that any code that uses system() (or system2() or shell()) has a big security hole. -Bill On Mon, Mar 14, 2022 at 8:49 AM Barry Rowlingson <
b.rowlingson at lancaster.ac.uk> wrote:
command <- paste(c(env, shQuote(command), args), collapse = " ")
What horror! Please fix or document the fact that system2 executes its
ARGUMENTS and not just the command.
Aside from being relevant to data scientists, it's a big security hole.
It
means that, in some cases, something that looks like plain text in my R code will end up being executed as a command on my system, which seems dangerous to me.
If this is affecting you now and you need a solution then the `sys` package has `exec_wait`: The hacker tries and succeeds in running `rm` with `system2`:
> system2("echo", args="hello world ; rm /etc/systemfile")
hello world rm: cannot remove '/etc/systemfile': No such file or directory because the semicolon starts a new command, but fails with `sys::exec_wait`:
sys::exec_wait("echo", args="hello world ; rm /etc/systemfile")
hello world ; rm /etc/systemfile
where it echoes all the args.
For simple applications it should be a drop-in replacement.
best,
Bobby Tables
[[alternative HTML version deleted]]
______________________________________________ R-devel at r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-devel