environment variable instead, which contains the whitespace

In general, the best way to prevent OS command injection flaws from arising

is to avoid calling out directly to operating system commands at all. Virtually

any conceivable task that a web application may need to carry out can be

achieved using built-in APIs that cannot be manipulated to perform additional

commands than the one intended.

If it is considered unavoidable to embed user-supplied data into command

strings that are passed to an operating system command interpreter, the appli-

cation should enforce rigorous defenses to prevent a vulnerability arising. If

possible, a white list should be used to restrict user input to a specific set of

expected values. Alternatively, the input should be restricted to a very narrow

character set — for example, alphanumeric characters only. Input containing

any other data, including any conceivable metacharacter or whitespace should

be rejected.

As a further layer of protection, the application should use command APIs

that launch a specific process via its name and command-line parameters,

rather than passing a command string to a shell interpreter that supports com-

mand chaining and redirection. For example, the Java API 

Runtime.exec

and

Process.Start

do not support shell metacharacters and if

properly used can ensure that only the command intended by the developer

will be executed. See Chapter 18 for more details of command execution APIs.