Call only application programming interfaces (APIs) that are intended for use by programs. Usually a program can invoke any other program, including those that are really designed for human interaction. However, it’s usually unwise to invoke a program intended for human interaction in the same way a human would. The problem is that programs’s human interfaces are intentionally rich in functionality and are often difficult to completely control. As discussed in Section 8.3, interactive programs often have “escape” codes, which might enable an attacker to perform undesirable functions. Also, interactive programs often try to intuit the “most likely” defaults; this may not be the default you were expecting, and an attacker may find a way to exploit this.
Examples of programs you shouldn’t normally call directly include mail, mailx, ed, vi, and emacs. At the very least, don’t call these without checking their input first.
Usually there are parameters to give you safer access to the program’s functionality, or a different API or application that’s intended for use by programs; use those instead. For example, instead of invoking a text editor to edit some text (such as ed, vi, or emacs), use sed where you can.