> > command <- paste(c(env, shQuote(command), args), collapse = " ") > > What horror! Please fix or document the fact that system2 executes its > ARGUMENTS and not just the command. > > Aside from being relevant to data scientists, it's a big security hole. It > means that, in some cases, something that looks like plain text in my R > code will end up being executed as a command on my system, which seems > dangerous to me. >If this is affecting you now and you need a solution then the `sys` package has `exec_wait`: The hacker tries and succeeds in running `rm` with `system2`: > system2("echo", args="hello world ; rm /etc/systemfile") hello world rm: cannot remove '/etc/systemfile': No such file or directory because the semicolon starts a new command, but fails with `sys::exec_wait`:> sys::exec_wait("echo", args="hello world ; rm /etc/systemfile")hello world ; rm /etc/systemfile where it echoes all the args. For simple applications it should be a drop-in replacement. best, Bobby Tables [[alternative HTML version deleted]]
I think that any code that uses system() (or system2() or shell()) has a big security hole. -Bill On Mon, Mar 14, 2022 at 8:49 AM Barry Rowlingson < b.rowlingson at lancaster.ac.uk> wrote:> > > > command <- paste(c(env, shQuote(command), args), collapse = " ") > > > > What horror! Please fix or document the fact that system2 executes its > > ARGUMENTS and not just the command. > > > > Aside from being relevant to data scientists, it's a big security hole. > It > > means that, in some cases, something that looks like plain text in my R > > code will end up being executed as a command on my system, which seems > > dangerous to me. > > > > > If this is affecting you now and you need a solution then the `sys` package > has `exec_wait`: > > The hacker tries and succeeds in running `rm` with `system2`: > > > system2("echo", args="hello world ; rm /etc/systemfile") > hello world > rm: cannot remove '/etc/systemfile': No such file or directory > > because the semicolon starts a new command, but fails with > `sys::exec_wait`: > > > sys::exec_wait("echo", args="hello world ; rm /etc/systemfile") > hello world ; rm /etc/systemfile > > where it echoes all the args. > > For simple applications it should be a drop-in replacement. > > best, > Bobby Tables > > [[alternative HTML version deleted]] > > ______________________________________________ > R-devel at r-project.org mailing list > stat.ethz.ch/mailman/listinfo/r-devel >[[alternative HTML version deleted]]