...
For more information on the system() call, see ENV03-C. Sanitize the environment when invoking external programs and ENV04ENV33-C. Do not call system() if you do not need a command processor.
Compliant Solution
It is necessary to ensure that all valid data is accepted, while potentially dangerous data is rejected or sanitized. Doing so can be difficult when valid characters or sequences of characters also have special meaning to the subsystem and may involve validating the data against a grammar. In cases where there is no overlap, whitelisting can be used to eliminate dangerous characters from the data.
...
The call to execl() is not susceptible to command injection because the shell command interpreter is not invoked. (See ENV04ENV33-C. Do not call system() if you do not need a command processor.)
Risk Assessment
Failure to sanitize data passed to a complex subsystem can lead to an injection attack, data integrity issues, and a loss of sensitive data.
...