
Subprocesses are generally bad news - tbodt
http://rachelbythebay.com/w/2018/04/11/exec/
======
StefanKarpinski
I had similar thoughts some time ago but came to a very different conclusion:
anything the shell can do a programming language could do just as well, given
the right interface. The fact that languages don't make it easy to spawn
subprocesses safely doesn't mean that they couldn't do so. The right solution
is making it both convenient _and_ safe to do shell-like things from within a
real programming language. So I made sure that Julia does this right:

[https://julialang.org/blog/2012/03/shelling-out-
sucks](https://julialang.org/blog/2012/03/shelling-out-sucks)

[https://julialang.org/blog/2013/04/put-this-in-your-
pipe](https://julialang.org/blog/2013/04/put-this-in-your-pipe)

~~~
bjoli
Scsh also does this right. It makes me sad that no one actually successfully
ported it to other schemes.

~~~
codemac
There was a port of scsh to guile that was more of a library - it worked
really well. I doubt it's up to snuff on guile 2.0+ though.

------
userbinator
_" I'll just escape it" is a typical and yet unacceptable response to this._

There seems to be some sort of "cult" (for lack of better term) around this
mentality of "it's too hard so don't do it", which unfortunately only makes
things worse overall. Escaping rules are well-defined (they must be, by
necessity), and sooner or later you're going to have to do something involving
it; not to mention the important superset of things to keep in mind when
writing code, of which escaping is only a fraction: the general principle of
"consider _all_ input". Always assume that all 256 values of a byte can and
will show up in any external input, and plan accordingly.

~~~
asveikau
> Escaping rules are well-defined

Except when they aren't? I'm thinking of things like the bash exported
function bug, an obscure feature nobody thought was there turns evaluating
environment variables into RCE. Not to mention different shells may do things
slightly differently and you may get caught doing something unexpected.

So why not leave the shell out of the picture entirely? I think execve and
friends are much easier to get right than escaping. There are still possible
security bugs to consider (eg., if using the -p family such as execvp, who
controls PATH? Is anything on PATH writeable?), but the shell won't be among
them.

~~~
blindgeek
As often as I've seen people get shell-escaping wrong, escaping rules probably
aren't well-understood, regardless of how well-defined they are. Bourne
shell's quoting rules are byzantine at best. There are ways to reliably and
securely quote for the Bourne shell, but the best solution is not to pass
untrusted input to the shell. Unrelated to the shell, I've seen people --
including myself -- fail at dot-stuffing. Experience has taught me to avoid
hand-rolled escaping when I can; escaping is definitely a code smell.

------
ggm
Because the shell is a generalized engine for executing things, and because
magic defines textfiles as candidate executables nominating either the shell
or a shell-exec binary to interpret them, and because system() jacks all of
this to say you can invoke a shell with all its awesome to invoke scripts
which invoke a binary to parse them.

If the shell was only rsh, and if the set of binaries you can invoke was
constrained, and if the network and system calls were accessed through
strace() barriers which limited what you could do.. We might have less
problems. Except that in the end, people don't code or script for secure
execution so the context of 'what harm can I do from here' turns out to be a
lot wider than many people think.

------
cafxx
Hello inetd, my old friend

I've come to talk with you again

Because bugs softly creeping

Pwned my server while I was sleeping...

------
AstralStorm
The premise is faulty. Subprocesses are fine, it is the POSIX shell that
should be avoided. Or any interpreted language. Smallest tool for the job.

Use exec* calls, right options for your process handling class and there is no
problem.

As a bonus feel free to spawn/fork your current application.

Linking pipes and file descriptors is also not that hard. (Though they are a
cruddy that may be nicer to wrap in something like 0mq.)

------
codemac
This is sanitizing input, yes?

Didn't seem to be too specific to subprocesses, just some places where folks
use input directly.

