Message 383012 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	vstinner
Date	2020-12-14.22:52:42
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1607986363.29.0.33477455927.issue42641@roundup.psfhosted.org>
In-reply-to

Content
The os.popen() function uses a shell by default which usually leads to shell injection vulnerability. It also has a weird API: * closing the file waits until the process completes. * close() returns a "wait status" () not a "returncode" () see https://docs.python.org/dev/library/os.html#os.waitstatus_to_exitcode for the meaning of a "wait status". IMO the subprocess module provides better and safer alternatives with a clean API. The subprocess module already explains how to replace os.popen() with subprocess: https://docs.python.org/dev/library/subprocess.html#replacing-os-popen-os-popen2-os-popen3 In Python 2, os.popen() was deprecated since Python 2.6, but Python 3.0 removed the deprecation (commit dcf97b98ec5cad972b3a8b4989001c45da87d0ea, then commit f5a429295d855267c33c5ef110fbf05ee7a3013e extended os.popen() documentation again: bpo-6490). platform.popen() existed until Python 3.8 (bpo-35345). It was deprecated since Python 3.3 (bpo-11377). -- There is also the os.system() function which exposes the libc system() function. Should we deprecate this one as well?

The os.popen() function uses a shell by default which usually leads to shell injection vulnerability.

It also has a weird API:

* closing the file waits until the process completes.
* close() returns a "wait status" (*) not a "returncode"

(*) see https://docs.python.org/dev/library/os.html#os.waitstatus_to_exitcode for the meaning of a "wait status".

IMO the subprocess module provides better and safer alternatives with a clean API. The subprocess module already explains how to replace os.popen() with subprocess:
https://docs.python.org/dev/library/subprocess.html#replacing-os-popen-os-popen2-os-popen3

In Python 2, os.popen() was deprecated since Python 2.6, but Python 3.0 removed the deprecation (commit dcf97b98ec5cad972b3a8b4989001c45da87d0ea, then commit f5a429295d855267c33c5ef110fbf05ee7a3013e extended os.popen() documentation again: bpo-6490).

platform.popen() existed until Python 3.8 (bpo-35345). It was deprecated since Python 3.3 (bpo-11377).

--

There is also the os.system() function which exposes the libc system() function. Should we deprecate this one as well?

History
Date	User	Action	Args
2020-12-14 22:52:43	vstinner	set	recipients: + vstinner
2020-12-14 22:52:43	vstinner	set	messageid: <1607986363.29.0.33477455927.issue42641@roundup.psfhosted.org>
2020-12-14 22:52:43	vstinner	link	issue42641 messages
2020-12-14 22:52:42	vstinner	create