Message 99465 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christoph.neuroth
Recipients	christoph.neuroth, georg.brandl
Date	2010-02-17.10:15:56
SpamBayes Score	0.022854585
Marked as misclassified	No
Message-id	<1266401759.12.0.600282213979.issue7950@psf.upfronthosting.co.za>
In-reply-to

Content
Currently, the documentation of subprocess only says "Calling the program through the shell is usually not required.". IMHO there should be a real warning (like, in its own box with a couple of big exclamation marks ;)) about the security implications of using this and detailed instructions of how to avoid it. People tend to use this functionality just because they "know how to use the shell" and its just so convenient - and by doing so they create huge security holes in their applications.

Currently, the documentation of subprocess only says "Calling the program through the shell is usually not required.". IMHO there should be a real warning (like, in its own box with a couple of big exclamation marks ;)) about the security implications of using this and detailed instructions of how to avoid it. People tend to use this functionality just because they "know how to use the shell" and its just so convenient - and by doing so they create huge security holes in their applications.

History
Date	User	Action	Args
2010-02-17 10:15:59	christoph.neuroth	set	recipients: + christoph.neuroth, georg.brandl
2010-02-17 10:15:59	christoph.neuroth	set	messageid: <1266401759.12.0.600282213979.issue7950@psf.upfronthosting.co.za>
2010-02-17 10:15:57	christoph.neuroth	link	issue7950 messages
2010-02-17 10:15:56	christoph.neuroth	create