C++: How to escape user input for safe system calls?

Question

On a Linux platform, I have C++ code that goes like this:

// ...
std::string myDir;
myDir = argv[1]; // myDir is initialized using user input from the command line.
std::string command;
command = "mkdir " + myDir;
if (system(command.c_str()) != 0) {
   return 1;
}
// continue....

• Is passing user input to a system() call safe at all?
• Should the user input be escaped / sanitized?
• How?
• How could the above code be exploited for malicious purposes?

Thanks.

Answer 1

Just don't use system. Prefer execl.

execl ("/bin/mkdir", "mkdir", myDir, (char *)0);

That way, myDir is always passed as a single argument to mkdir, and the shell isn't involved. Note that you need to fork if you use this method.

But if this is not just an example, you should use the mkdir C function:

mkdir(myDir, someMode);

Answer 2

Using system() call with command line parameters without sanitizing the input can be highly insecure.

The potential security threat could be a user passing the following as directory name

somedir ; rm -rf /

To prevent this , use a mixture of the following

• use getopt to ensure your input is sanitized
• sanitize the input
• use execl instead of system to execute the command

The best option would be to use all three

Answer 3

Further to Matthew's answer, don't spawn a shell process unless you absolutely need it. If you use a fork/execl combination, individual parameters will never be parsed so don't need to be escaped. Beware of null characters however which will still prematurely terminate the parameter (this is not a security problem in some cases).

I assume mkdir is just an example, as mkdir can trivially be called from C++ much more easily than these subprocess suggestions.