cybersecurity · intermediate · ~15 min
Why `system()` is dangerous with untrusted input.
Implement int safe_run(const char *prog, const char *arg) that runs prog arg without invoking a shell. Use fork + execvp with an explicit argv array, then wait. Return the child's exit status (0 on success).
This is the safe way to invoke external programs from user-controlled data: arguments stay arguments, no ; or backticks can inject extra commands.
#include <unistd.h>
#include <sys/wait.h>
int safe_run(const char *prog, const char *arg) {
/* TODO */
return -1;
}
Solve this exercise in the browser editor — compile and run against the test harness, no setup required.