symbolic icon indicating copy to clipboard operation
symbolic copied to clipboard
verified publisher icon gnu-octave

sympref: Document the inherent insecurity of some IPC mechanisms (e.g. system)

Open alexvong243f opened this issue 3 years ago • 2 comments

Some of the IPC mechanisms currently in use are inherently insecure, such as system. We should at least document these caveats and consider deprecating them after the pythonic interface is ready for production use.

Quoting the man page of the C function system,

Any user input that is employed as part of command should be carefully sanitized, to ensure that unexpected shell commands or command options are not executed. Such risks are especially grave when using system() from a privileged program.

See also discussion in #1140.

alexvong243f avatar Jun 22 '22 05:06 alexvong243f

Just to keep our priorities in order: our upstream makes use of eval [1]. Not that we should ignore security stuff at our end, of course.

[1] https://github.com/sympy/sympy/issues/10805

cbm755 avatar Jun 25 '22 02:06 cbm755

Sure, we can deal with this later.

alexvong243f avatar Jun 25 '22 09:06 alexvong243f