From: “Perry E. Metzger” <perry@piermont.com>
To: patrick@verity.com (Patrick Horgan)
Message Hash: 055abee03bc6102630d1a3d5051dace8c8038d09dcd3b5666d6ef3104c2f07e6
Message ID: <199509220231.WAA02083@frankenstein.piermont.com>
Reply To: <9509211553.AA17620@cantina.verity.com>
UTC Datetime: 1995-09-22 02:32:08 UTC
Raw Date: Thu, 21 Sep 95 19:32:08 PDT
From: "Perry E. Metzger" <perry@piermont.com>
Date: Thu, 21 Sep 95 19:32:08 PDT
To: patrick@verity.com (Patrick Horgan)
Subject: Re: "random" number seeds vs. Netscape
In-Reply-To: <9509211553.AA17620@cantina.verity.com>
Message-ID: <199509220231.WAA02083@frankenstein.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain
Patrick Horgan writes:
> Perry said:
> >
> > Also be especially careful about how you run the thing! Don't use
> > popen or anything like it!
>
> There's nothing inherently wrong with using popen or system.
Nor is there anything inherently wrong with having sex without the use
of a condom.
However, it is very difficult -- VERY DIFFICULT -- to prove to
yourself that there is never an instance in which your system() or
popen() can be abused. In any case, I find its often more prudent just
to strip all these things out of my code. If you don't use them, you
don't have to prove they are done properly. Paranoia is your
friend. No one can ever break you for doing something you don't do.
> The problem arises when you use information given to you from
> outside as the argument to popen or system without checking it.
Yup, but often, you'd be suprised what turns out to be outside data.
In any case, you obviously also understand why this is bad, but I hope
that people out there understan -- always make sure that you are
double extra careful about the use of such calls.
Perry
Return to September 1995
Return to ““Perry E. Metzger” <perry@piermont.com>”