Re: wordexp(3)

[Tim <tim-security () sentinelchicken org>]

> > It might be of interest to know that we've only got patches in 2 ports
> > as a result of this: celestia and filezilla (we're using globs instead
> > of wordexp for these; I'm not aware of any negative feedback relating
> > to these patches).
>
> There is software out there which automatically uses a shell-based
> implementation if the system does not provide wordexp.  With this in
> mind, it makes sense to provide the interface even if you dislike it
> (same thing with strlcpy).


I disagree.

Providing a badly designed interface, even if it is "standard", simply
invites more depedence on it.  If people have to exert extra effort to
code around the lack of a dangerous interface, then they are less
likely to rely on dangerous approaches, such as generating shell
syntax from within C.  Yes, they could just use system() or popen(),
but these interfaces should be deprecated as well.  We have to take a
stand some time.

Most programmers like to think that other programmers should just
"know what they are doing" and use these interfaces with care.  The
reality is, there will always be a significant percentage of
developers who don't "know what they are doing".  If we want to avoid
vulnerabilities in software, we need to start thinking about how to 
provide APIs that discourage (but don't prevent) unsafe practices, so
that those who are naive will find that the path of least resistance
is to write secure code to begin with.

tim