...
In this noncompliant code example, derived from a vulnerability in OpenBSD's chpass program [NAI 1998], a file containing sensitive data is opened for reading. In the get_validated_editor() method, the program retrieves the registered editor from the EDITOR environment variable, sanitizes it to be a valid editor, in accordance with FIO02-C. Canonicalize path names originating from untrusted tainted sources, and returns a command for invoking the editor. Back in func(), the program then executes the editor using the system() function. If the system() function is implemented in a way that spawns a child process, then the child process could inherit the file descriptors opened by its parent. If this happens, as it does in POSIX systems, the child process will be able to access the contents of the potentially sensitive file called file_name.
...