I was implementing an echo command using the system() function. The argument for the echo command comes from a command line argument. But when used ‘;’ in the argument it is showing the directory listing.
What should i do to avoid it? Is it because of command injection in my program?
update: code added from comment
#include<string.h>
#include<stdio.h>
#include<stdlib.h>
int main(int argc, char **argv) {
char cmd[50] = "echo ";
strcat(cmd,argv[1]);
system(cmd);
}
I could compile the code but while executing if i give the command line argument as eg: ‘./a.out hello;ls ‘ then directory listing is happening.
[can’t respond to other answers yet, so reposting the question]
“Is possible to get the argument with ‘;’, without using ‘\’ in the command line argument. Is possible for me to include a ‘\’ from my program after getting argv?”
No, it is not possible. The interpretation of “;” is done by the shell before getting to your program, so unless you escape at the call, your program will never be aware of the “;”. i.e.
PROG1 parms ; PROG2
will cause the shell (which is interpreting what you type) to do the following:
start PROG1 and pass it parms.
once PROG1 is done, start PROG2
There are a number of special characters which the shell will take over by default and your program will never see: * for wildcards, | for pipes, & for parallel execution, etc… None of these will be seen by the program being run, they just tell the shell to do special things.
Alternatively to using the “\”, you can enclose your parameter in single or double quotes (which are different, but for your example will both work). i.e.:
./a.out “hello;ls”
./a.out ‘hello;ls’
Note that these will work for the printf option, if you call “system” you are in effect telling C to start a shell to run what you are passing in, so the input will once again be subject to shell interpretation.