Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sympref: Document the inherent insecurity of some IPC mechanisms (e.g. system) #1143

Open
alexvong243f opened this issue Jun 22, 2022 · 2 comments
Open

sympref: Document the inherent insecurity of some IPC mechanisms (e.g. system) #1143

alexvong243f opened this issue Jun 22, 2022 · 2 comments
Labels
longterm

Comments

@alexvong243f
Copy link
Collaborator

Some of the IPC mechanisms currently in use are inherently insecure, such as system. We should at least document these caveats and consider deprecating them after the pythonic interface is ready for production use.

Quoting the man page of the C function system,

Any user input that is employed as part of command should be carefully sanitized, to ensure that unexpected shell commands or command options are not executed. Such risks are especially grave when using system() from a privileged program.

See also discussion in #1140.
@cbm755
Copy link
Collaborator

cbm755 commented Jun 25, 2022

Just to keep our priorities in order: our upstream makes use of eval [1]. Not that we should ignore security stuff at our end, of course.

[1] sympy/sympy#10805

@alexvong243f
Copy link
Collaborator Author

Sure, we can deal with this later.

@alexvong243f alexvong243f mentioned this issue Jul 19, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
longterm
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cbm755 @alexvong243f