This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author ncoghlan
Recipients alex, ncoghlan
Date 2011-10-21.06:36:57
SpamBayes Score 1.6569838e-06
Marked as misclassified No
Message-id <>
And that's exactly the problem - a web developer's or security auditor's "shell injection" is a system administrator's "this language sucks".

These wrappers are the kind of thing you want for shell invocations when using Python as a replacement for a shell script or rewriting something that was originally written in Perl, but they're a terrible idea if anything you're interpolating came from an untrusted data source.

Currently, requiring "shell=True" in the arguments to the subprocess calls is considered a sufficient deterrent against people doing the wrong thing. I'm suggesting that requiring "import shutil" instead of "import subprocess" may be a similarly acceptable compromise that better serves the system administrators that choose to use Python for system automation tasks.
Date User Action Args
2011-10-21 06:36:58ncoghlansetrecipients: + ncoghlan, alex
2011-10-21 06:36:58ncoghlansetmessageid: <>
2011-10-21 06:36:58ncoghlanlinkissue13238 messages
2011-10-21 06:36:57ncoghlancreate