Message383107
https://docs.python.org/dev/library/subprocess.html#subprocess-replacements documentation suggests to replace os.popen(cmd, "w") with Popen(cmd, stdin=PIPE): without shell=True. My problem is that the replacement does change the behavior if the command does not exist.
--
I would like to avoid a shell (shell=True) to avoid any risk of shell injection vulnerability, but also to avoid bugs caused by the usage of a shell.
For example, "*" is a joker character. "*.py" is expanded to the list of filenames ending with ".py", or left unchanged if there is no file with a name ending with ".py". It's surprising if you are not used to a shell, and you expect "*" to be passed to the final command.
There are other weird cases with a shell, like bpo-26124 "shlex.quote and pipes.quote do not quote shell keywords".
See bpo-42641 "Deprecate os.popen() function" for other examples. |
|
Date |
User |
Action |
Args |
2020-12-15 23:54:44 | vstinner | set | recipients:
+ vstinner, gregory.p.smith |
2020-12-15 23:54:44 | vstinner | set | messageid: <1608076484.95.0.775862724689.issue42648@roundup.psfhosted.org> |
2020-12-15 23:54:44 | vstinner | link | issue42648 messages |
2020-12-15 23:54:44 | vstinner | create | |
|