...
This rule is a specific instance of rule IDS00-J. Sanitize untrusted data passed across a trust boundary. Any string data that originates from outside the program's trust boundary must be sanitized before being executed as a command on the current platform.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="316cec3fa67a5920-50cdd51c-41154904-96ccae36-dedcd06e091e086195e3eeac"><ac:plain-text-body><![CDATA[ | [CVE-2010-0886] | [Sun Java Web Start Plugin Command Line Argument Injection | http://www.securitytube.net/video/1465] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4a6473d73607b1bb-aae99eac-46a94195-9ca0a04f-ec10ae237e79047916470196"><ac:plain-text-body><![CDATA[ | [CVE-2010-1826] | [Command injection in | http://securitytracker.com/id/1024617] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cd49e91ff1edaa4f-30dfafa6-429f490a-9b24a0cf-7a9e9a04878f57f23df4780f"><ac:plain-text-body><![CDATA[ | [T-472] | [Mac OS X Java Command Injection Flaw in | http://www.doecirc.energy.gov/bulletins/t-472.shtml] | ]]></ac:plain-text-body></ac:structured-macro> |
...
ENV03-C. Sanitize the environment when invoking external programs | ||||
| ENV04-C. Do not call system() if you do not need a command processor | |||
ENV03-CPP. Sanitize the environment when invoking external programs | ||||
| ENV04-CPP. Do not call system() if you do not need a command processor | |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f039af96ab6eb53b-ef8cd39e-4809403c-8ca19199-846f974f4241ccb364e112c3"><ac:plain-text-body><![CDATA[ | [ISO/IEC TR 24772:2010 | http://www.aitcnet.org/isai/] | Injection [RST] | ]]></ac:plain-text-body></ac:structured-macro> |
CWE-78. Improper neutralization of special elements used in an OS command ("OS command injection") |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e7ffc367a093ea4f-33a8bdbd-4b8246b7-9af98653-be70f9e1c3a3564bf4babc98"><ac:plain-text-body><![CDATA[ | [[Chess 2007 | AA. Bibliography#Chess 07]] | Chapter 5, Handling Input, "Command Injection"]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f53dbec65c7ac62c-fb21f74c-42ce4905-a7fbabd5-b6b177db085b9dc28fcb6696"><ac:plain-text-body><![CDATA[ | [[OWASP 2005 | AA. Bibliography#OWASP 05]] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7f2e4222632de95e-f8e06578-47954591-a6df93be-5dbe93d1aab5d56d0e7ef779"><ac:plain-text-body><![CDATA[ | [[Permissions 2008 | AA. Bibliography#Permissions 08]] | ]]></ac:plain-text-body></ac:structured-macro> |
...