From 9dabcce55da6d672f27afa7c3cc49daf3ee3c3db Mon Sep 17 00:00:00 2001 From: Marc Espie Date: Fri, 5 Feb 2016 18:09:21 +0000 Subject: be more forceful about not using these. improvements sthen@, jmc@. okay millert@, jca@ jmc@ --- lib/libc/gen/popen.3 | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) (limited to 'lib/libc/gen/popen.3') diff --git a/lib/libc/gen/popen.3 b/lib/libc/gen/popen.3 index ba1b8cfc47f..7cda6a14fc1 100644 --- a/lib/libc/gen/popen.3 +++ b/lib/libc/gen/popen.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: popen.3,v 1.19 2014/08/31 02:21:18 guenther Exp $ +.\" $OpenBSD: popen.3,v 1.20 2016/02/05 18:09:20 espie Exp $ .\" .\" Copyright (c) 1991, 1993 .\" The Regents of the University of California. All rights reserved. @@ -27,7 +27,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd $Mdocdate: August 31 2014 $ +.Dd $Mdocdate: February 5 2016 $ .Dt POPEN 3 .Os .Sh NAME @@ -158,6 +158,23 @@ and a .Fn pclose function appeared in .At v7 . +.Sh CAVEATS +Never supply the +.Fn popen +function with a command containing any part of an unsanitized user-supplied +string. +Shell meta-characters present will be honored by the +.Xr sh 1 +command interpreter. +.Pp +It is often simpler to bypass the shell entirely and use +.Xr pipe 2 , +.Xr fork 2 , +.Xr dup2 2 , +.Xr execlp 3 , +and +.Xr fdopen 3 +directly instead of having to sanitize a string for shell consumption. .Sh BUGS Since the standard input of a command opened for reading shares its seek offset with the process that called @@ -176,8 +193,3 @@ failure to execute .Fa command , or an immediate exit of the command. The only hint is an exit status of 127. -.Pp -The -.Fn popen -argument always calls -.Xr sh 1 . -- cgit v1.2.3