[benmmurphy]

at this point i think the problem with system() should be blamed on the language and not the people using the language. how many legitimate uses of system() functiona call are there. a primitive that does fork() execv() on an array is a much better alternative. yeah, it doesn't 100% fix problems you might have issues with - style flags but you are in a much better situation. like if your users want to do system() maybe force them to do the extra work.

system() style functionality -> should be the hard thing to do execv() style functionality() -> should be the easy thing to do

[technion]

Whilst I do wish I could cleanse a web application of actually supporting system(), we have system() in Perl, Ruby, Python, and modules for Node. I've seen people bagging PHP and that really isn't fair.

Shower thought: Allow me to globally disable system() in for language x. Aside from the obvious case of just banning these insane system calls, you're protected against surprise vectors in parsers.

Edit: You would presumably mitigate pipe open vulnerabilities too

[tetha]

You can do so with SELinux btw. You can remove the right for a program to run the exec syscall.

It's just sad that there is no really good tutorial how to write your own SELinux modules for your own applications. It's easier than it seems and allows some really powerful security measures.

[hultner]

Maybe you could write one? I bet that it would be really appreciated.

[eequah9L]

I suspect that these languages just end up deferring to the system() library function in libc. LD_PRELOAD or other linker trick would then let you override it with a do-nothing or complain-loudly replacement.

[__david__]

All of those languages have an option to pass in arguments as an array and bypass the shell completely. PHP does not. It's much safer with no shell (though not perfect).