Home/ Questions/Q 6196107
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T03:35:04+00:00

popen buffers output while system does not. is that the only difference? I understand

  • 0

popen buffers output while system does not. is that the only difference?

I understand that popen and system both run the command through the shell. However, is popen() as evil as system()?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Look, the whole thing about “system being evil” is, at heart, people who don’t think about the security consequences of their particular use case. The only reason system is “more evil” than doing your own fork/dup/exec is that used badly, it’s possible for someone to introduce a malicious command line. So, for example

    #include <stdlib.h>

int main(int argc, char** argv){
    (void) system(argv[1]);
}

    is certainly dumb, because someone could put, eg, rm -rf / in as the argument. And, of course, something similarly dumb could be done with popen.

    But then consider something that does fork and exec using a user string for the command: the exact same vulnerability and stupidity exists.

    The evil — which is to say, the error — lies in using a random input string as a command without some filtering, not in the system call.

    • 0