This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: subprocess docs should warn of shlex use on Windows
Type: security Stage: resolved
Components: Documentation, Windows Versions: Python 3.10, Python 3.9, Python 3.8
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: docs@python Nosy List: Stephen Farris, ammar2, chris.jerdonek, docs@python, miss-islington, paul.moore, steve.dower, tim.golden, zach.ware
Priority: normal Keywords: patch

Created on 2020-06-09 20:49 by Stephen Farris, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 21502 merged ammar2, 2020-07-16 03:09
Messages (5)
msg371140 - (view) Author: Stephen Farris (Stephen Farris) Date: 2020-06-09 20:49
The subprocess docs state: "When using shell=True, the shlex.quote() function can be used to properly escape whitespace and shell metacharacters in strings that are going to be used to construct shell commands." While this is true on Unix, it is not true on Windows. On Windows it is easy to create scenarios where shell injection still exists despite using shlex.quote properly (e.g."'&calc '"), shell=True) launches the Windows calculator, which it wouldn't do if shlex.quote was able to prevent shell injection on Windows). While the shlex docs state that shlex is for Unix, the subprocess docs imply that shlex.quote will work on Windows too, possibly leading some developers to erroneously use shlex.quote on Windows to try to prevent shell injection. Recommend: 1) qualifying the above section in the subprocess docs to make it clear that this only works on Unix, and 2) updating the shlex docs with warnings that shlex.quote in particular is not for use on Windows.
msg374031 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-07-20 22:22
I wonder whether we should be more specific about the shells that shlex works for? Since WSL makes *sh (Bash, Dash, Sh, etc.) easily available on Windows, and I believe PowerShell on Linux keeps its own quoting rules.
msg374051 - (view) Author: Ammar Askar (ammar2) * (Python committer) Date: 2020-07-21 03:19
Hmm, it'd be hard to enumerate them all. The module does say, "...simple syntaxes resembling that of the Unix shell" but that's it.

Distinguishing at the OS level for shlex does seem a bit weird given the existence of WSL and non-compliant shells on Linux like xonsh. I think it'd be nice if we could be a bit more specific on whats supported, maybe it covers all POSIX compliant shells?

For the subprocess warning I think it's fine to talk about the OS since it looks like the shell used are hard-coded in:

msg380738 - (view) Author: miss-islington (miss-islington) Date: 2020-11-11 07:30
New changeset f9a8386e44a695551a1e54e709969e90e9b96bc4 by Ammar Askar in branch 'master':
bpo-40932: Note security caveat of shlex.quote on Windows (GH-21502)
msg390075 - (view) Author: Ammar Askar (ammar2) * (Python committer) Date: 2021-04-02 15:56
Thank you Steve and Zachary for reviewing, this warning is in the docs now.
Date User Action Args
2022-04-11 14:59:32adminsetgithub: 85104
2021-04-02 15:56:16ammar2setstatus: open -> closed
resolution: fixed
messages: + msg390075

stage: patch review -> resolved
2020-11-11 07:30:06miss-islingtonsetnosy: + miss-islington
messages: + msg380738
2020-07-21 03:19:45ammar2setmessages: + msg374051
2020-07-20 22:22:01steve.dowersetmessages: + msg374031
2020-07-16 03:09:33ammar2setkeywords: + patch
nosy: + ammar2

pull_requests: + pull_request20643
stage: patch review
2020-06-10 11:53:22chris.jerdoneksetnosy: + chris.jerdonek
2020-06-10 07:40:03ned.deilysetnosy: + paul.moore, tim.golden, zach.ware, steve.dower
title: subprocess docs don't qualify the instruction to use shlex.quote by OS -> subprocess docs should warn of shlex use on Windows

components: + Windows
versions: + Python 3.9, Python 3.10
2020-06-09 20:50:18Stephen Farrissettype: security
2020-06-09 20:49:51Stephen Farriscreate