Title: subprocess docs should warn of shlex use on Windows
Type: security Stage: patch review
Components: Documentation, Windows Versions: Python 3.10, Python 3.9, Python 3.8
Status: open Resolution:
Dependencies: Superseder:
Assigned To: docs@python Nosy List: Stephen Farris, ammar2, chris.jerdonek, docs@python, paul.moore, steve.dower, tim.golden, zach.ware
Priority: normal Keywords: patch

Created on 2020-06-09 20:49 by Stephen Farris, last changed 2020-07-21 03:19 by ammar2.

Pull Requests
URL Status Linked Edit
PR 21502 open ammar2, 2020-07-16 03:09
Messages (3)
msg371140 - (view) Author: Stephen Farris (Stephen Farris) Date: 2020-06-09 20:49
The subprocess docs state: "When using shell=True, the shlex.quote() function can be used to properly escape whitespace and shell metacharacters in strings that are going to be used to construct shell commands." While this is true on Unix, it is not true on Windows. On Windows it is easy to create scenarios where shell injection still exists despite using shlex.quote properly (e.g."'&calc '"), shell=True) launches the Windows calculator, which it wouldn't do if shlex.quote was able to prevent shell injection on Windows). While the shlex docs state that shlex is for Unix, the subprocess docs imply that shlex.quote will work on Windows too, possibly leading some developers to erroneously use shlex.quote on Windows to try to prevent shell injection. Recommend: 1) qualifying the above section in the subprocess docs to make it clear that this only works on Unix, and 2) updating the shlex docs with warnings that shlex.quote in particular is not for use on Windows.
msg374031 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-07-20 22:22
I wonder whether we should be more specific about the shells that shlex works for? Since WSL makes *sh (Bash, Dash, Sh, etc.) easily available on Windows, and I believe PowerShell on Linux keeps its own quoting rules.
msg374051 - (view) Author: Ammar Askar (ammar2) * (Python triager) Date: 2020-07-21 03:19
Hmm, it'd be hard to enumerate them all. The module does say, "...simple syntaxes resembling that of the Unix shell" but that's it.

Distinguishing at the OS level for shlex does seem a bit weird given the existence of WSL and non-compliant shells on Linux like xonsh. I think it'd be nice if we could be a bit more specific on whats supported, maybe it covers all POSIX compliant shells?

For the subprocess warning I think it's fine to talk about the OS since it looks like the shell used are hard-coded in:

Date User Action Args
2020-07-21 03:19:45ammar2setmessages: + msg374051
2020-07-20 22:22:01steve.dowersetmessages: + msg374031
2020-07-16 03:09:33ammar2setkeywords: + patch
nosy: + ammar2

pull_requests: + pull_request20643
stage: patch review
2020-06-10 11:53:22chris.jerdoneksetnosy: + chris.jerdonek
2020-06-10 07:40:03ned.deilysetnosy: + paul.moore, tim.golden, zach.ware, steve.dower
title: subprocess docs don't qualify the instruction to use shlex.quote by OS -> subprocess docs should warn of shlex use on Windows

components: + Windows
versions: + Python 3.9, Python 3.10
2020-06-09 20:50:18Stephen Farrissettype: security
2020-06-09 20:49:51Stephen Farriscreate