0

Why is it told that, usage of system function in a production code is not advisable? How is this different from using exec family of functions?

Clarification: I have read it in many places that, it is unwise to use system function, when we are doing something at a commercial level. But It never occurred to me as what might be the problem, and how using exec family is considered better than system .As far as I am concerned, my concerns are clarified

Amrith Krishna
  • 2,768
  • 3
  • 31
  • 65
  • 1
    http://stackoverflow.com/questions/732832/php-exec-vs-system-vs-passthru – Phil Cross Feb 09 '14 at 16:47
  • 2
    If the input is coming from external sources or users, definitely you should avoid it or sanitize it. For example, you read a line of data and then do `os.system`, user can input `echo "Welcome" > test.txt`. This would create a file on your server. This is just an example, the actual attack vectors would be very interesting and dangerous. – thefourtheye Feb 09 '14 at 16:49
  • 1
    In Python you should use the [subprocess](http://docs.python.org/2/library/subprocess.html) module(with `shell=False` for [untrusted input](http://docs.python.org/2/library/subprocess.html#frequently-used-arguments)) not the functions provided by the `os` module. – Ashwini Chaudhary Feb 09 '14 at 16:53
  • 1
    Re the 'put on hold' state, I thought it was reasonably clear. He's asking why `system` is unadvisable whereas `exec` is not. – abligh Feb 10 '14 at 14:28
  • @abligh, that's exactly what I meant. – Amrith Krishna Feb 10 '14 at 15:17

1 Answers1

1

This question is tagged C, php and python. I don't know python, but C and PHP functions system functions differ in at least one respect: the PHP function has an optional second argument.

In C (and according to the documentation, PHP does the same thing), system runs the command by executing /bin/sh -c command. The issue here is whether command is completely under your control. If command is a constant string, you are reasonably safe. However, if command has any user provided elements, you better be very careful. Let's say you thought this was a good way to add a string $foo to a log.

system ("echo '$foo' >> /var/log/bar");

in php is not going to be a great idea, because $foo might contain the following (including the quotes)

'x && /bin/rm -rf / && echo '

Much better use something like exec where you don't need to worry about quoting, separating parameters etc. (rather than pass it through /bin/sh), and even then you need to be very careful.

abligh
  • 24,573
  • 4
  • 47
  • 84