sclang: SequenceableCollection:unixCmd respects PATH

[nhthn]

fix #2317

This commit changes a call to execve to execvpe in SequenceableCollection:unixCmd, so that PATH is now respected.

This only affects *nix systems. SequenceableCollection:unixCmd is not currently supported on Windows, or so I hear.

test case:

["which", "scsynth"].unixCmd

once this method is working on Windows, i suggest that we refactor all calls to String:unixCmd to use this method. it is much better to call actual command line arguments as an array rather than formatting shell strings, which is vulnerable to injections.

[mossheim]

execvpe isn't available on macos, it's a GNU extension.

IIUC you could just change this to execvp and remove all use of environ from the this file. According to https://linux.die.net/man/3/execvp:

The other functions [not e-postfixed] take the environment for the new process image from the external variable environ in the calling process.

Since nothing is actually being added to environ in this call, using it again as an argument has no effect.

[mossheim]

can confirm this works on macos

[mossheim]

it is much better to call actual command line arguments as an array rather than formatting shell strings, which is vulnerable to injections.

not sure why this is any less vulnerable - couldn't one of the args be something like "`rm -rf ~/*; 0`"?

[nhthn]

seeing is believing :)

"ls `echo ~`".unixCmd // ls ~
["ls", "`echo ~`"].unixCmd  // literally tries to ls a directory called "`echo ~`"

the exec* family runs at a lower level than shell

[mossheim]

ahhh, ok. thanks for the explanation!