defect: security PR #517 claims false - 18 execute_command_line calls remain #526
Description
CRITICAL SECURITY VULNERABILITY
PR #517 claims 'Zero execute_command_line calls remain in the entire codebase' but this is COMPLETELY FALSE.
Evidence - 18 execute_command_line calls found:
Source Code (7 calls):
- fortplot_test_helpers.f90:308
- fortplot_matplotlib_io.f90:257, 261
- fortplot_system_runtime.f90:68, 244, 277, 324, 354, 356
- fortplot_security.f90:220, 662
- fortplot_system_timeout.f90:91
Test Code (8+ calls):
- test_example_output_structure.f90: Lines 32,33,35,37,39,41,44,46,48
- fortplot_imagemagick.f90: Lines 30,40,70,128,189,198,222
Example Code (1 call):
- save_animation_demo.f90:87
Impact:
- Command injection vulnerabilities STILL EXIST
- Shell metacharacter attacks STILL POSSIBLE
- Privilege escalation risks UNMITIGATED
- Security compliance COMPLETELY FAILED
Steps to Reproduce:
grep -r 'execute_command_line' src/ test/ example/ | wc -l
# Returns 18+ matches, not zero as claimedExpected: Zero execute_command_line calls (as claimed in PR)
Actual: 18+ active security vulnerabilities remain
Severity: CRITICAL - Security implementation failure
Component: Security, Command Execution