...
Consequently, command injection attacks cannot succeed unless a command interpreter is explicitly invoked. However, argument injection attacks can occur when arguments have spaces, double quotes, and so forth, or start with a - or / to indicate a switch.
This rule is a specific instance of rule IDS00-J. Any string data that originates from outside the program's trust boundary must be sanitized before being executed as a command on the current platform.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="37e495a5344a8d2c-53804f1d-453a457e-bda3b360-734673dec003845acc9ed892"><ac:plain-text-body><![CDATA[ | [CVE-2010-0886] | [Sun Java Web Start Plugin Command Line Argument Injection | http://www.securitytube.net/video/1465] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a0289ae8c635d7c8-0b90da83-445f4667-9fd89003-00ac0e1f807aac591e42e595"><ac:plain-text-body><![CDATA[ | [CVE-2010-1826] | [Command injection in | http://securitytracker.com/id/1024617] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="dca64de1ef7fbe67-c3b6f1c8-43f244cc-ad73af81-4ac7ea56c0c79fa64ef210f8"><ac:plain-text-body><![CDATA[ | [T-472] | [Mac OS X Java Command Injection Flaw in | http://www.doecirc.energy.gov/bulletins/t-472.shtml] | ]]></ac:plain-text-body></ac:structured-macro> |
...
ENV03-C. Sanitize the environment when invoking external programs | ||||
| ENV04-C. Do not call system() if you do not need a command processor | |||
ENV03-CPP. Sanitize the environment when invoking external programs | ||||
| ENV04-CPP. Do not call system() if you do not need a command processor | |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1161ffe4ab8113d7-e35d06eb-4c7b43ad-b8059282-be8ea3bc43f02c1164f3dc8f"><ac:plain-text-body><![CDATA[ | [ISO/IEC TR 24772:2010 | http://www.aitcnet.org/isai/] | Injection [RST] | ]]></ac:plain-text-body></ac:structured-macro> |
CWE-78. Improper neutralization of special elements used in an OS command ("OS command injection") |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="bce6af3bf12a72da-a460d6ed-4cf54e17-b874b182-1ca373c77fe9d849639a7172"><ac:plain-text-body><![CDATA[ | [[Chess 2007 | AA. Bibliography#Chess 07]] | Chapter 5, Handling Input, "Command Injection"]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3f154c4787bbcafc-ad85d62d-449b4b4b-9186b5b7-c8cfc1890c51075c32227c57"><ac:plain-text-body><![CDATA[ | [[OWASP 2005 | AA. Bibliography#OWASP 05]] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="343d95b6491088f7-cd570362-42734b36-a11c924b-6b643e39f22b1bc89fdd0b45"><ac:plain-text-body><![CDATA[ | [[Permissions 2008 | AA. Bibliography#Permissions 08]] | ]]></ac:plain-text-body></ac:structured-macro> |
...