[Bug libc/28519] New: system and popen should pass "--" between /bin/sh and argument

["eblake at redhat dot com" <sourceware-bugzilla@sourceware.org>]

https://sourceware.org/bugzilla/show_bug.cgi?id=28519

            Bug ID: 28519
           Summary: system and popen should pass "--" between /bin/sh and
                    argument
           Product: glibc
           Version: 2.35
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: eblake at redhat dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

The POSIX developers recently learned that if system() and popen() are required
to NOT use "--", there are some cases where a user string is interpreted as
shell options instead of the command to execute (namely, if the user string
starts with '-' or '+'):

https://austingroupbugs.net/view.php?id=1440

https://mail-index.netbsd.org/current-users/2021/10/29/msg041629.html is an
interesting read on the topic, as well, including a very simple test case that
proves that glibc is not yet handling things right for system() (assuming you
do not have a trojan horse executable "-f" on your $PATH):

$ ed
! -f 
sh: line 1: -f: command not found
!
!-f
sh: -c: option requires an argument
!
q

Whether or not the POSIX folks actually require "--" in the Issue 8 revision of
POSIX (or defer it to Issue 9 because of complaints that it's not standard
behavior yet), glibc really should fix its implementation to pass "--" now.  If
nothing else, the more implementations have correct behavior now, the easier it
will be for POSIX to say it is standard behavior for Issue 8.

Modulo testsuite additions (and maybe also fixing wordexp(), it may be as
simple as:

diff --git i/libio/iopopen.c w/libio/iopopen.c
index 0266d19870..8d8cd1382c 100644
--- i/libio/iopopen.c
+++ w/libio/iopopen.c
@@ -85,7 +85,7 @@ spawn_process (posix_spawn_file_actions_t *fa, FILE *fp,
const char *command,
     }

   if (__posix_spawn (&((_IO_proc_file *) fp)->pid, _PATH_BSHELL, fa, 0,
-                    (char *const[]){ (char*) "sh", (char*) "-c",
+                    (char *const[]){ (char*) "sh", (char*) "-c", (char*) "--",
                     (char *) command, NULL }, __environ) != 0)
     return false;

diff --git i/sysdeps/posix/system.c w/sysdeps/posix/system.c
index 48668fb392..42e839aa9d 100644
--- i/sysdeps/posix/system.c
+++ w/sysdeps/posix/system.c
@@ -147,6 +147,7 @@ do_system (const char *line)
   ret = __posix_spawn (&pid, SHELL_PATH, 0, &spawn_attr,
                       (char *const[]){ (char *) SHELL_NAME,
                                        (char *) "-c",
+                                       (char *) "--",
                                        (char *) line, NULL },
                       __environ);
   __posix_spawnattr_destroy (&spawn_attr);

-- 
You are receiving this mail because:
You are on the CC list for the bug.