Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #77400
| Path | csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!news.stack.nl!newsfeed.xs4all.nl!newsfeed1a.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <cameron@cskk.homeip.net> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.004 |
| X-Spam-Evidence | '*H*': 0.99; '*S*': 0.00; 'read.': 0.03; 'appropriate.': 0.09; 'arguments': 0.09; 'subject:module': 0.09; 'typed': 0.09; 'wrong,': 0.09; 'cc:addr:python-list': 0.11; '>on': 0.16; '>the': 0.16; 'expecting': 0.16; 'from:addr:cs': 0.16; 'from:addr:zip.com.au': 0.16; 'from:name:cameron simpson': 0.16; 'interviewing': 0.16; 'message-id:@cskk.homeip.net': 0.16; 'programmer)': 0.16; 'received:211.29': 0.16; 'received:211.29.132': 0.16; 'received:cskk.homeip.net': 0.16; 'received:homeip.net': 0.16; 'received:optusnet.com.au': 0.16; 'received:syd.optusnet.com.au': 0.16; 'simpson': 0.16; 'subject:usage': 0.16; 'weird': 0.16; 'appropriate': 0.16; 'wrote:': 0.18; 'code.': 0.18; 'command': 0.22; 'cc:addr:gmail.com': 0.22; 'shell': 0.22; 'cc:addr:python.org': 0.22; 'cc:2**1': 0.23; 'header:User-Agent:1': 0.23; 'fairly': 0.24; 'mon,': 0.24; 'cheers,': 0.24; 'sort': 0.25; 'header:In- Reply-To:1': 0.27; 'chris': 0.29; 'on,': 0.29; 'errors': 0.30; 'invoke': 0.31; 'sep': 0.31; "user's": 0.31; 'this.': 0.32; 'open': 0.33; '(i.e.': 0.33; "can't": 0.35; 'but': 0.35; 'received:com.au': 0.36; 'charset:us-ascii': 0.36; 'should': 0.36; 'so,': 0.37; 'clear': 0.37; 'being': 0.38; 'received:211': 0.38; 'pm,': 0.38; 'does': 0.39; 'sure': 0.39; 'even': 0.60; 'commands': 0.60; "you're": 0.61; 'content-disposition:inline': 0.62; "you'll": 0.62; 'to:addr:gmail.com': 0.65; 'frank': 0.68; 'line,': 0.68; 'user,': 0.69; 'music': 0.75; 'yourself': 0.78; 'glad': 0.83; 'low': 0.83; '"just': 0.84; 'asked.': 0.84; 'malicious': 0.84; 'presumably': 0.84; 'earl': 0.91 |
| Date | Mon, 1 Sep 2014 18:46:52 +1000 |
| From | Cameron Simpson <cs@zip.com.au> |
| To | Earl Lapus <earl.lapus@gmail.com> |
| Subject | Re: subprocess module usage |
| MIME-Version | 1.0 |
| Content-Type | text/plain; charset=us-ascii; format=flowed |
| Content-Disposition | inline |
| In-Reply-To | <CAPrJNb50Q0h0hKEdaW+ka9fxe=PgShExBtW_=LndDnU8__2cAA@mail.gmail.com> |
| User-Agent | Mutt/1.5.21 (2010-09-15) |
| References | <CAPrJNb50Q0h0hKEdaW+ka9fxe=PgShExBtW_=LndDnU8__2cAA@mail.gmail.com> |
| X-Optus-CM-Score | 0 |
| X-Optus-CM-Analysis | v=2.1 cv=fvDlOjIf c=1 sm=1 tr=0 a=YuQlxtEQCowy2cfE5kc7TA==:117 a=YuQlxtEQCowy2cfE5kc7TA==:17 a=ZtCCktOnAAAA:8 a=PO7r1zJSAAAA:8 a=LcaDllckn3IA:10 a=ObbQ-qSu8jkA:10 a=kj9zAlcOel0A:10 a=vrnE16BAAAAA:8 a=pGLkceISAAAA:8 a=1rQKAwuNvU5X0P1Dn5IA:9 a=CjuIK1q_8ugA:10 a=MSl-tDqOz04A:10 |
| Cc | "python-list@python.org" <python-list@python.org> |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.15 |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.13686.1409561223.18130.python-list@python.org> (permalink) |
| Lines | 28 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1409561223 news.xs4all.nl 2946 [2001:888:2000:d::a6]:44447 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | csiph.com comp.lang.python:77400 |
Show key headers only | View raw
On 01Sep2014 14:33, Earl Lapus <earl.lapus@gmail.com> wrote: >On Mon, Sep 1, 2014 at 1:39 PM, Chris Angelico <rosuav@gmail.com> wrote: >> Glad it's working! But please, don't just take my word for it and make >> a black-box change to your code. When you invoke subprocesses, be sure >> you understand what's going on, and when shell=True is appropriate and >> when shell=False is appropriate. The docs should be fairly clear on >> this. If you get this sort of thing wrong, you'll get weird errors >> like this (if you're lucky), or open yourself up to shell injection >> vulnerabilities (if you're not). > >The command and arguments that will be passed to check_output will not >depend on user input. So, the chances of malicious commands from being >executed would be low (right?). Not really. If the arguments are coming in from the command line, someone (a user, even if that user is the programmer) typed them. Even if not malicious, they can still be mistaken. Or just unfortunate. You should always want to do exactly what you're asked. If you misuse shell=True when the user is expecting shell=False (i.e. "just do what I said!"), then your program will not carry out the user's intent. If it does not fail outright, it will presumably do the _wrong_ thing. Cheers, Cameron Simpson <cs@zip.com.au> Music journalism: People who can't write interviewing people who can't talk for people who can't read. - Frank Zappa
Back to comp.lang.python | Previous | Next | Find similar | Unroll thread
Re: subprocess module usage Cameron Simpson <cs@zip.com.au> - 2014-09-01 18:46 +1000
csiph-web