CRITICAL: Issue #506 falsely closed - active system() call remains in fortplot_pipe_timeout.c #566
Description
CRITICAL SECURITY VIOLATION: Issue #506 is marked CLOSED but contains false completion claims.
Evidence of False Closure
Issue #506 Status: CLOSED (falsely marked as resolved)
ACTIVE SECURITY VIOLATIONS FOUND:
1. Active system() Call in C Code
File: src/fortplot_pipe_timeout.c
Line: 85
Code: int result = system(command);
Impact: Direct command injection vulnerability remains active
2. Active execute_command_line Functions
Found: 29 occurrences across codebase
Status: Not eliminated as claimed
Sample Locations:
src/fortplot_system_timeout.f90: Lines 10, 50, 79, 87- Multiple modules still contain execute_command_line references
3. Verification Commands
grep -r "system(" src/*.c
# Result: /home/ert/code/fortplot/src/fortplot_pipe_timeout.c:85: int result = system(command);
grep -r "execute_command_line" src/*.f90 | wc -l
# Result: 29 occurrences foundSecurity Assessment
HIGH RISK: The system() call in fortplot_pipe_timeout.c allows arbitrary command execution
MEDIUM RISK: 29 execute_command_line references indicate incomplete elimination
Root Cause Analysis
- Issue defect: multiple execute_command_line calls pose security risks #506 was prematurely closed
- Security audit was incomplete
- C code security violations were missed
- No comprehensive verification was performed
Required Immediate Actions
- REOPEN Issue defect: multiple execute_command_line calls pose security risks #506 immediately
- Eliminate the system() call in fortplot_pipe_timeout.c
- Complete the execute_command_line elimination
- Perform comprehensive security audit of all C and Fortran files
- Implement proper verification protocols before claiming completion
SEVERITY: CRITICAL - Active command injection vulnerability exists despite false closure claims
This represents a fundamental security audit failure and false completion reporting.