[Rd] security holes in system2

Frederick Eaton |reder|k @end|ng |rom o|b@net
Thu Mar 10 17:22:26 CET 2022

Dear R Developers,

The documentation for "system2" only defines "args" as

args: a character vector of arguments to 'command'.

This encourages the reader to think that R's system2 interface is passing its arguments unchanged to exec().

But I was surprised to find that under the hood, you're just pasting my arguments together and sending them to a subshell to be re-parsed:

command <- paste(c(env, shQuote(command), args), collapse = " ")

What horror! Please fix or document the fact that system2 executes its ARGUMENTS and not just the command.

Aside from being relevant to data scientists, it's a big security hole. It means that, in some cases, something that looks like plain text in my R code will end up being executed as a command on my system, which seems dangerous to me.

> my_data=c("<(>&2 echo oops)")
> system2("echo",args=my_data)
/dev/fd/63
oops

Thank you,

Frederick