System Pause

Feb 20, 2013 at 9:23am
Hello people, I want to ask this question...
What is wrong with system("pause") other than the fact that it is OS dependant
Feb 20, 2013 at 10:02am
Nothing.

Although it is more elegant to run your command-line programs from the Command Prompt.
Feb 20, 2013 at 10:15am
closed account (zb0S216C)
It's very slow and a insecure.

Wazzak
Feb 20, 2013 at 10:15am
How is it insecure?
Feb 20, 2013 at 10:27am
closed account (zb0S216C)
"system( )" is granted the same rights as your program. Because "pause" is a common command, malicious code can replace the "pause" executable with another malicious program. And when your program executes the "pause" program, it executes the malicious program which has the same rights as your program. No good.

Try it! Create a simple program and replace "pause" with it (keep a copy of "pause" first). Then, execute "pause" from another program. You'll realise just how vulnerable your program becomes with "system( )".

Wazzak
Feb 20, 2013 at 10:31am
It is not insecure if you use it correctly; sanitize the shell execution envirionment, sanitize the command string, and make sure that the command that you are executing cannot be spoofed.

Doing this is somewhat hard, so
Do not call system() if you do not need a command processor
http://www.securecoding.cert.org/confluence/display/seccode/ENV04-C.+Do+not+call+system()+if+you+do+not+need+a+command+processor

To pause the program, we do not need a command processor; for instance we can pause the program by waiting for user input: say, with std::cin.get() ;
Feb 20, 2013 at 10:38am
Because "pause" is a common command, malicious code can replace the "pause" executable with another malicious program. And when your program executes the "pause" program, it executes the malicious program which has the same rights as your program.


I'm pretty sure this won't work, not even on Windows 98.

pause is a command, not an executable. Unless you do system("pause.exe");, you should be safe.
Feb 20, 2013 at 10:53am
> Unless you do system("pause.exe");, you should be safe.

If you have verified that the ComSpec environment variable is set to <windows dir>\system32\cmd.exe

Feb 28, 2013 at 9:15am
Ok thanks ppl
Topic archived. No new replies allowed.