[Rd] [External] security holes in system2

Barry Rowlingson b@row||ng@on @end|ng |rom |@nc@@ter@@c@uk
Mon Mar 14 16:48:31 CET 2022

>      command <- paste(c(env, shQuote(command), args), collapse = " ")
> What horror! Please fix or document the fact that system2 executes its
> ARGUMENTS and not just the command.
> Aside from being relevant to data scientists, it's a big security hole. It
> means that, in some cases, something that looks like plain text in my R
> code will end up being executed as a command on my system, which seems
> dangerous to me.

If this is affecting you now and you need a solution then the `sys` package
has `exec_wait`:

The hacker tries and succeeds in running `rm` with `system2`:

 > system2("echo", args="hello world ; rm /etc/systemfile")
hello world
rm: cannot remove '/etc/systemfile': No such file or directory

because the semicolon starts a new command, but fails with `sys::exec_wait`:

> sys::exec_wait("echo", args="hello world ; rm /etc/systemfile")
hello world ; rm /etc/systemfile

where it echoes all the args.

For simple applications it should be a drop-in replacement.

 Bobby Tables

	[[alternative HTML version deleted]]

More information about the R-devel mailing list