I am trying to write c++ code that calls a command in a linux command line and I am using HP Fortify to check for exploits in the code. Can someone familiar with HP Fortify source analyzer tell me if it is possible to use a system() linux call in c++ code without getting the low threat warning from HP Fortify (low : Command Injection: semantic)? Is there still a threat of command injection if I hard code the input to the system() function while writing out full paths to the programs and/or files in the call? I don't understand a more secure way of giving it input than hard coding it in. Should I be ignoring the system() function and find another way to call commands from my c++ code to the linux command line?
Edit: I tried using execv() instead of system() to call a program but it still gives me the command injection warning for using execv().
Aucun commentaire:
Enregistrer un commentaire