[Rd] [External] security holes in system2
Barry Rowlingson
b@row||ng@on @end|ng |rom |@nc@@ter@@c@uk
Mon Mar 14 16:48:31 CET 2022
>
> command <- paste(c(env, shQuote(command), args), collapse = " ")
>
> What horror! Please fix or document the fact that system2 executes its
> ARGUMENTS and not just the command.
>
> Aside from being relevant to data scientists, it's a big security hole. It
> means that, in some cases, something that looks like plain text in my R
> code will end up being executed as a command on my system, which seems
> dangerous to me.
>
If this is affecting you now and you need a solution then the `sys` package
has `exec_wait`:
The hacker tries and succeeds in running `rm` with `system2`:
> system2("echo", args="hello world ; rm /etc/systemfile")
hello world
rm: cannot remove '/etc/systemfile': No such file or directory
because the semicolon starts a new command, but fails with `sys::exec_wait`:
> sys::exec_wait("echo", args="hello world ; rm /etc/systemfile")
hello world ; rm /etc/systemfile
where it echoes all the args.
For simple applications it should be a drop-in replacement.
best,
Bobby Tables
[[alternative HTML version deleted]]
More information about the R-devel
mailing list