[Rd] [External] security holes in system2
Bill Dunlap
w||||@mwdun|@p @end|ng |rom gm@||@com
Mon Mar 14 17:30:57 CET 2022
I think that any code that uses system() (or system2() or shell()) has a
big security hole.
-Bill
On Mon, Mar 14, 2022 at 8:49 AM Barry Rowlingson <
b.rowlingson using lancaster.ac.uk> wrote:
> >
> > command <- paste(c(env, shQuote(command), args), collapse = " ")
> >
> > What horror! Please fix or document the fact that system2 executes its
> > ARGUMENTS and not just the command.
> >
> > Aside from being relevant to data scientists, it's a big security hole.
> It
> > means that, in some cases, something that looks like plain text in my R
> > code will end up being executed as a command on my system, which seems
> > dangerous to me.
> >
>
>
> If this is affecting you now and you need a solution then the `sys` package
> has `exec_wait`:
>
> The hacker tries and succeeds in running `rm` with `system2`:
>
> > system2("echo", args="hello world ; rm /etc/systemfile")
> hello world
> rm: cannot remove '/etc/systemfile': No such file or directory
>
> because the semicolon starts a new command, but fails with
> `sys::exec_wait`:
>
> > sys::exec_wait("echo", args="hello world ; rm /etc/systemfile")
> hello world ; rm /etc/systemfile
>
> where it echoes all the args.
>
> For simple applications it should be a drop-in replacement.
>
> best,
> Bobby Tables
>
> [[alternative HTML version deleted]]
>
> ______________________________________________
> R-devel using r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel
>
[[alternative HTML version deleted]]
More information about the R-devel
mailing list