Techly NewsGet the app

Get the latest tech news

The curious case of shell commands, or how "this bug is required by POSIX" (2021)


About the fatal perils and traps of many modern tools that handle "shell commands" as passed through `system(3)` or `sh -c`. Or, how by the end of 2020, we still haven't given up on shell's equivalent "SQL building", or how shell's equivalent "SQL injection" still thrives in our engineering world... Plus a `glibc` bug, then a Linux man pages bug, then a POSIX specification bug...

Nothing really... Everything is fine... No planes are falling from the sky... Nobody is running around screaming while on fire... Everything is business as usual, unless you want to write some wrapper scripts that takes arbitrary user input and delegates that to one of these, and many other, broken tools... Therefore when we write our scripts and tools we need to be aware of this situation and be prepared to escape and quote our commands and arguments accordingly, else we'll be subject to shell injections... (For more scarry stuff one can read about shellshock.) Alternatively, given that most likely the tool in question is an open-source project written by someone in his spare time, perhaps open a feature request describing the issue, and if possible contribute with a patch that solves it.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of bug

bug

Photo of curious case

curious case

Photo of POSIX

POSIX

Related news:

News photo

Google patched bug leaking phone numbers tied to accounts

News photo

In POSIX, you can theoretically use inode zero

News photo

BGP handling bug causes widespread internet routing instability

« Plato got virtually everything wrong (2018)
1.5 TB of James Webb Space Telescope data just hit the internet »