Bastien Chevreux wrote, On 2/18/14 10:54 PM: > Good, I'll add that to the code base. But remember the first rule of a > developer: users are never reasonable. E.g.: "/somewhere/I'm gonna earn lotsa > $$$ & get rich/mira/" :-) If you want to go to the effort of handling the unreasonable user, the alternative I was thinking of trying is to instead of calling system on the entire command string, use fork(), one of the execv family of calls, and wait() to get the same result without any shell parsing of the string. If there were any chance of an attacker having control of the path of the file being executed then that would be necessary to prevent evil things from being done with code injection into the shell command. But in this case I don't mind a user having the ability to configure their own machines with that unreasonable path and giving themselves unreasonable results. Sidney -- You have received this mail because you are subscribed to the mira_talk mailing list. For information on how to subscribe or unsubscribe, please visit http://www.chevreux.org/mira_mailinglists.html