|
|
|
|
|
|
by arghwhat
3070 days ago
|
|
|
I suspect you are misunderstanding "exec" as "shell". China router firmwares call the shell. Putting arbitrary input into a shell is dangerous, as missed escaping can result in control of the shell. When you call exec yourself, however, you are passing the individual arguments as NULL-terminated list of strings (char*). There is no shell to abuse. Calling a process this way is about as safe as calling a function that takes strings for arguments. The function can still have vulnerabilities, but the process of calling it is safe. |
|
|