Re: system mkdir

[Eric Blake <eblake@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 1690 bytes --]

On 12/01/2011 04:32 PM, Peter Brown wrote:
>>> Yes.  Use the mkdir() function.  That is, in fact, very similar to how it
>>> should be done in Visual Studio too.

I still say using mkdir() is the right solution - use a simple function,
rather than a call to system().

> This seems to work for me.
> 
> int MySystem(char *s)
> {
>   int answer;
>   char syscmd[2048];
>   sprintf(syscmd,"cmd /c bash -c 'umask 0077;%s'",s);
>   answer = system( syscmd );
>   return answer;

Ouch. A thousand times NOOOOO. DON'T DO THAT.  You just made a HUGE
security hole.  All I have to do is call:

MySystem("rm -rf /");

and I've nuked your system.  Or, I could call MySystem(<string longer
than 2048 bytes>) and stack overflow you.  Or any other number of flaws.

And even if those weren't issues, you ruined my quoting.  I should be
able to do system("echo 'a  b'") and get "a  b" on stdout, but the way
you butchered quoting, my single quotes terminate the argument to cmd,
and completely hose things.

You DON'T want to use system() unless absolutely necessary, and then
only with proper quoting.  And you don't want to use sprintf on
arbitrary input; stick to snprintf, or to asprintf.  And seriously -
calling cmd /c just to call bash just to call commands that will be
interpreted by bash, when you could have just used commands interpreted
by bash to begin with?  If system() isn't calling cygwin's /bin/sh, then
you aren't using cygwin properly.  Don't make it worse by wrapping
system() to go through another two layers of quoting nightmares.

-- 
Eric Blake   eblake@redhat.com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 620 bytes --]