link

in this link http://www.cplusplus.com/articles/j3wTURfi/:

what does the word "resource heavy" mean ?

"it executes not just one, but maybe two separate processes and returns an exit status to your program"

why ? and how to know that it executes more than one process ?

"here is WaltP's simplified"

what does the word "WaltP" mean ??


"Because you have no guarantee that the program you are executing
1 is a valid command
2 does the same thing on all systems
3 hasn't been compromised with malicious code, or
4 is the program you think it is"

if I write the program myself so I know that it is valid and that it is not compromised and it is the program I think it is because I write it myself .

what does all this mean:


"#if defined(WIN32) || defined(_WIN32) || defined(__WIN32__) || defined(__TOS_WIN__) || defined(__WINDOWS__ "

for windows users we can use only this command to open the notepad :

#define EDITOR "notepad"

what does this mean:

"if you do need to use system(), it is generally a good idea to check that you have a shell available:

1
2
if (system( NULL )) then_I_can_safely_use_system();
else fooey();
"

what does this mean :

"Do not use system() from a program with set-user-ID or set-group-ID privileges, because strange values for some environment variables might be used to subvert system integrity. Use the exec(3) family of functions instead, but not execlp(3) or execvp(3). system() will not, in fact, work properly from programs with set-user-ID or set-group-ID privileges on systems on which /bin/sh is bash version 2, since bash 2 drops privileges on startup. (Debian uses a modified bash which does not do this when invoked as sh.)"



this link :http://www.gidnetwork.com/b-61.html

explains the system("pause") and system() and how it takes 9 instructions in order for the program to be paused and then exited . May be this is the only disadvantage of the system() function . However, judging from the tutorial , I am not convinced at all that system() function is dangerous
Last edited on
1) It means it calls tons of OS calls and other things just to clear the screen. There are much better ways of doing that (like using ncurses or some other library).

2) WaltP is a person.

3) If you are writing a toy program for yourself and you don't plan on ever getting new computer or OS then sure, you can use system.
As for #4, I could create a program called "cls.exe" and put it in the same directory as your program, then your program will call cls.exe, not execute the shell command. This is a huge security risk.

4) Go look up #define and #if preprocessor commands.

5) You might not even have a shell to execute commands, so in some cases using system() might not work.

6) This is *nix specific information. If an adversary is able to set up specific environment variables, they could abuse your program to hack your system.

In conclusion, there are several ways system can be abused to break your program/computer. Just because the programs you are writing now won't be used by anyone but yourself, doesn't mean you shouldn't start trying to write good, secure programs.
closed account (2LzbRXSz)
It's inefficient, it's bad practice. It's OS-specific, and OS-dependant.

I had originally written a very long analogy about how it's like if you had to manually tell your lungs to breathe every single time, but that just got long and confusing.
"5) You might not even have a shell to execute commands, so in some cases using system() might not work"

I think every OS has a shell to execute commands . So in what cases using system() might not work ??


"6) This is *nix specific information. If an adversary is able to set up specific environment variables, they could abuse your program to hack your system."

what are the methods used by an adversary to set up specific environment variables ??

"4) Go look up #define and #if preprocessor commands"

I looked but I still do not understand what does this mean :

"#if defined(WIN32) || defined(_WIN32) || defined(__WIN32__) || defined(__TOS_WIN__) || defined(__WINDOWS__

??
closed account (2LzbRXSz)
I think every OS has a shell to execute commands . So in what cases using system() might not work ??

System commands don't work on Mac (can't speak for any other OS though).
Last edited on
Topic archived. No new replies allowed.