[Rd] security holes in system2
Frederick Eaton
|reder|k @end|ng |rom o|b@net
Thu Mar 10 17:22:26 CET 2022
Dear R Developers,
The documentation for "system2" only defines "args" as
args: a character vector of arguments to 'command'.
This encourages the reader to think that R's system2 interface is passing its arguments unchanged to exec().
But I was surprised to find that under the hood, you're just pasting my arguments together and sending them to a subshell to be re-parsed:
command <- paste(c(env, shQuote(command), args), collapse = " ")
What horror! Please fix or document the fact that system2 executes its ARGUMENTS and not just the command.
Aside from being relevant to data scientists, it's a big security hole. It means that, in some cases, something that looks like plain text in my R code will end up being executed as a command on my system, which seems dangerous to me.
> my_data=c("<(>&2 echo oops)")
> system2("echo",args=my_data)
/dev/fd/63
oops
Thank you,
Frederick
More information about the R-devel
mailing list