11 lines
525 B
Plaintext
11 lines
525 B
Plaintext
==== Disable shell integration
|
|
|
|
In most cases, command execution libraries propose two ways to execute external
|
|
program: with or without shell integration.
|
|
|
|
When shell integration is allowed, an attacker with control over the command
|
|
arguments can simply execute additional external programs using system shell
|
|
features. For example, on Unix, command pipelining (`|`) or string
|
|
interpolation (`$()`, `<()`, etc.) can be used to break out of a command call.
|
|
|
|
Therefore, it is generally preferable to disable shell integration. |