...
Do not invoke a command processor via system() or equivalent functions to execute a command. It is permissible to call system() with a null pointer argument to determine the presence of a command processor for the system.
Noncompliant Code Example
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <Windows.h>
#include <ShlObj.h>
#include <Shlwapi.h>
#if defined(_MSC_VER)
#pragma comment(lib, "Shlwapi")
#endif
void func(void) {
HRESULT hr;
LPWSTR path = 0;
WCHAR full_path[MAX_PATH];
hr = SHGetKnownFolderPath(&FOLDERID_Documents, 0, NULL, &path);
if (FAILED(hr)) {
/* Handle error */
}
if (!PathCombineW(full_path, path, L".config")) {
/* Handle error */
}
CoTaskMemFree(path);
if (!DeleteFileW(full_path)) {
/* Handle error */
}
} |
Exceptions
ENV33-C-EX1: It is permissible to call system() with a null pointer argument to determine the presence of a command processor for the system.
Risk Assessments
If the command string passed to system(), popen(), or other function that invokes a command processor is not fully sanitized, the risk of exploitation is high. In the worst case scenario, an attacker can execute arbitrary system commands on the compromised machine with the privileges of the vulnerable process.
...