Message 250074 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	steve.dower
Recipients	Arfrever, PedanticHacker, devplayer, eryksun, jbmilam, joncwchao, python-dev, r.david.murray, steve.dower
Date	2015-09-07.05:49:52
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1441604994.88.0.396817085759.issue8232@psf.upfronthosting.co.za>
In-reply-to

Content
Here's an alternate patch I proposed on #25005 before we decided to back out the change. The problem is that subprocess.call() with shell=True is unsafe because we don't escape shell operators (such as &, <, >, \|). The fix in this patch is to allow passing arguments to os.startfile so we can use that instead. Arguments do not need to be escaped in this case.

Here's an alternate patch I proposed on #25005 before we decided to back out the change.

The problem is that subprocess.call() with shell=True is unsafe because we don't escape shell operators (such as &, <, >, |).

The fix in this patch is to allow passing arguments to os.startfile so we can use that instead. Arguments do not need to be escaped in this case.

History
Date	User	Action	Args
2015-09-07 05:49:55	steve.dower	set	recipients: + steve.dower, Arfrever, r.david.murray, joncwchao, devplayer, python-dev, eryksun, jbmilam, PedanticHacker
2015-09-07 05:49:54	steve.dower	set	messageid: <1441604994.88.0.396817085759.issue8232@psf.upfronthosting.co.za>
2015-09-07 05:49:54	steve.dower	link	issue8232 messages
2015-09-07 05:49:54	steve.dower	create