...
Consequently, command injection attacks cannot succeed unless a command interpreter is explicitly invoked. However, argument injection attacks can occur when arguments have spaces, double quotes, and so forth, or start with a - or / to indicate a switch.
This rule is a specific instance of rule IDS00-J. Any string data that originates from outside the program's trust boundary must be sanitized before being executed as a command on the current platform.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d1347a9f342d35ec-1c1164d4-410a48fe-962eac2d-031465993ced890083d18877"><ac:plain-text-body><![CDATA[ | [CVE-2010-0886] | [Sun Java Web Start Plugin Command Line Argument Injection | http://www.securitytube.net/video/1465] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="48f39da710b83d2e-f351e1d5-475f45d1-8c80880f-0b05fac61869179080507ee3"><ac:plain-text-body><![CDATA[ | [CVE-2010-1826] | [Command injection in | http://securitytracker.com/id/1024617] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="813d2ae1e974e7d3-5a17e73a-455b4c41-959081fa-bb8a1498cd47ccdc38b2cdc5"><ac:plain-text-body><![CDATA[ | [T-472] | [Mac OS X Java Command Injection Flaw in | http://www.doecirc.energy.gov/bulletins/t-472.shtml] | ]]></ac:plain-text-body></ac:structured-macro> |
...
ENV03-C. Sanitize the environment when invoking external programs | ||||
| ENV04-C. Do not call system() if you do not need a command processor | |||
ENV03-CPP. Sanitize the environment when invoking external programs | ||||
| ENV04-CPP. Do not call system() if you do not need a command processor | |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="903412ba5885d78a-135346eb-410748d1-93f583f6-b8e7d30533c731170eb933a2"><ac:plain-text-body><![CDATA[ | [ISO/IEC TR 24772:2010 | http://www.aitcnet.org/isai/] | Injection [RST] | ]]></ac:plain-text-body></ac:structured-macro> |
CWE-78. Improper neutralization of special elements used in an OS command ("OS command injection") |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3a089fd2cad1c447-fe64087c-4d64411f-b856bf26-e00943692a25079deb0f50cf"><ac:plain-text-body><![CDATA[ | [[Chess 2007 | AA. Bibliography#Chess 07]] | Chapter 5, Handling Input, "Command Injection"]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6b190e97d11a4ba2-7dac9a90-46364ef9-88d7ad78-591c09628610a21c4d5a4151"><ac:plain-text-body><![CDATA[ | [[OWASP 2005 | AA. Bibliography#OWASP 05]] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e42af0697a735525-5c40af0c-409f4a7a-8212973d-03e2c414b3dbb7fc592b3c49"><ac:plain-text-body><![CDATA[ | [[Permissions 2008 | AA. Bibliography#Permissions 08]] | ]]></ac:plain-text-body></ac:structured-macro> |
...