Author vstinner
Recipients vstinner
Date 2020-12-14.22:52:42
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1607986363.29.0.33477455927.issue42641@roundup.psfhosted.org>
In-reply-to
Content
The os.popen() function uses a shell by default which usually leads to shell injection vulnerability.

It also has a weird API:

* closing the file waits until the process completes.
* close() returns a "wait status" (*) not a "returncode"

(*) see https://docs.python.org/dev/library/os.html#os.waitstatus_to_exitcode for the meaning of a "wait status".

IMO the subprocess module provides better and safer alternatives with a clean API. The subprocess module already explains how to replace os.popen() with subprocess:
https://docs.python.org/dev/library/subprocess.html#replacing-os-popen-os-popen2-os-popen3

In Python 2, os.popen() was deprecated since Python 2.6, but Python 3.0 removed the deprecation (commit dcf97b98ec5cad972b3a8b4989001c45da87d0ea, then commit f5a429295d855267c33c5ef110fbf05ee7a3013e extended os.popen() documentation again: bpo-6490).

platform.popen() existed until Python 3.8 (bpo-35345). It was deprecated since Python 3.3 (bpo-11377).

--

There is also the os.system() function which exposes the libc system() function. Should we deprecate this one as well?
History
Date User Action Args
2020-12-14 22:52:43vstinnersetrecipients: + vstinner
2020-12-14 22:52:43vstinnersetmessageid: <1607986363.29.0.33477455927.issue42641@roundup.psfhosted.org>
2020-12-14 22:52:43vstinnerlinkissue42641 messages
2020-12-14 22:52:42vstinnercreate