Yes the user controls the path and in the example provided they could just call whatever command they want anyway
This doesn’t give the attacker any access that they wouldn’t have.
Also you can just clobber the “PATH” variable if it is so inclined.
> system() on the other hand is guaranteed to run the operating system’s command intepreter
Yeah that just it is means less predictable.
Please show me python programs which support the pattern shown by the parent post and which actually work when running under powershell. (Or Oil shell or any other non-POSIX shell)
Aside: `/bin/sh` is guaranteed to exist by POSIX
> `/bin/sh` is guaranteed to exist by POSIX
Quite the contrary
> Applications should note that the standard PATH to the shell cannot be assumed to be either /bin/sh or /usr/bin/sh, and should be determined by interrogation of the PATH returned by getconf PATH,ensuring that the returned pathname is an absolute pathname and not a shell built-in.
https://pubs.opengroup.org/onlinepubs/9799919799/utilities/s...