Author serhiy.storchaka
Recipients serhiy.storchaka, vstinner
Date 2020-12-15.07:45:48
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1608018348.49.0.658177511896.issue42641@roundup.psfhosted.org>
In-reply-to
Content
Searching os.popen in code on GitHub gives around 4.5 millions of results. Seems that most of them are with literal strings which are very specific to the program, like

    check2 = os.popen('grep "net\.ipv4\.ip_forward" /etc/sysctl.conf /etc/sysctl.d/*').read()

They are not vulnerable to shell injection and other drawbacks of os.popen do not matter in that cases. Most of that code looks like specialized scripts rather than parts of general libraries.

Yes, some examples can be vulnerable to shell injection (although in they use cases, with restricted data and environment, they can be pretty safe). But deprecating os.popen can break millions of scripts and cause more harm than prevent bugs.

It may be better strategy to document drawbacks and limitations of os.popen and advertise alternatives.
History
Date User Action Args
2020-12-15 07:45:48serhiy.storchakasetrecipients: + serhiy.storchaka, vstinner
2020-12-15 07:45:48serhiy.storchakasetmessageid: <1608018348.49.0.658177511896.issue42641@roundup.psfhosted.org>
2020-12-15 07:45:48serhiy.storchakalinkissue42641 messages
2020-12-15 07:45:48serhiy.storchakacreate