[Rd] [External] security holes in system2
w||||@mwdun|@p @end|ng |rom gm@||@com
Mon Mar 14 17:30:57 CET 2022
I think that any code that uses system() (or system2() or shell()) has a
big security hole.
On Mon, Mar 14, 2022 at 8:49 AM Barry Rowlingson <
b.rowlingson using lancaster.ac.uk> wrote:
> > command <- paste(c(env, shQuote(command), args), collapse = " ")
> > What horror! Please fix or document the fact that system2 executes its
> > ARGUMENTS and not just the command.
> > Aside from being relevant to data scientists, it's a big security hole.
> > means that, in some cases, something that looks like plain text in my R
> > code will end up being executed as a command on my system, which seems
> > dangerous to me.
> If this is affecting you now and you need a solution then the `sys` package
> has `exec_wait`:
> The hacker tries and succeeds in running `rm` with `system2`:
> > system2("echo", args="hello world ; rm /etc/systemfile")
> hello world
> rm: cannot remove '/etc/systemfile': No such file or directory
> because the semicolon starts a new command, but fails with
> > sys::exec_wait("echo", args="hello world ; rm /etc/systemfile")
> hello world ; rm /etc/systemfile
> where it echoes all the args.
> For simple applications it should be a drop-in replacement.
> Bobby Tables
> [[alternative HTML version deleted]]
> R-devel using r-project.org mailing list
[[alternative HTML version deleted]]
More information about the R-devel