Re: Secure popen

From: Peter Jeremy (peter.jeremyat_private)
Date: Wed Jun 20 2001 - 21:37:49 PDT

  • Next message: ___cliff rayman___: "OT: Re: Secure popen"

    On 2001-Jun-20 06:14:59 -0700, SBNelsonat_private wrote:
    >Please help me understand.  What would be wrong with using popen(2) with
    >"/usr/lib/sendmail -oi -t" and passing the to/subject lines via input to
    >sendmail?  Is there something wrong with popen itself?
    
    popen(3) effectively does "/bin/sh -c 'popen_argment'".  If your
    program checks the environment passed to the shell, then popen(3)
    with a hard-wired argument is safe.  If the user can control the
    environment that /bin/sh gets, then all bets are off.
    
    For the above string, consider the impact of IFS=/ in the environment.
    
    Peter
    



    This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 08:43:14 PDT