This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients gregory.p.smith, vstinner
Date 2020-12-15.23:54:44
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1608076484.95.0.775862724689.issue42648@roundup.psfhosted.org>
In-reply-to
Content 
https://docs.python.org/dev/library/subprocess.html#subprocess-replacements documentation suggests to replace os.popen(cmd, "w") with Popen(cmd, stdin=PIPE): without shell=True. My problem is that the replacement does change the behavior if the command does not exist.

--

I would like to avoid a shell (shell=True) to avoid any risk of shell injection vulnerability, but also to avoid bugs caused by the usage of a shell.

For example, "*" is a joker character. "*.py" is expanded to the list of filenames ending with ".py", or left unchanged if there is no file with a name ending with ".py". It's surprising if you are not used to a shell, and you expect "*" to be passed to the final command.

There are other weird cases with a shell, like bpo-26124 "shlex.quote and pipes.quote do not quote shell keywords".

See bpo-42641 "Deprecate os.popen() function" for other examples.
History
Date User Action Args
2020-12-15 23:54:44vstinnersetrecipients: + vstinner, gregory.p.smith
2020-12-15 23:54:44vstinnersetmessageid: <1608076484.95.0.775862724689.issue42648@roundup.psfhosted.org>
2020-12-15 23:54:44vstinnerlinkissue42648 messages
2020-12-15 23:54:44vstinnercreate