Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #34075

Re: os.popen and the subprocess module

From Nobody <nobody@nowhere.com>
Subject Re: os.popen and the subprocess module
Date 2012-11-29 18:39 +0000
Message-Id <pan.2012.11.29.18.39.14.718000@nowhere.com>
Newsgroups comp.lang.python
References <mailman.316.1354039468.29569.python-list@python.org> <k978ot$b04$1@r03.glglgl.gl>
Organization Zen Internet

Show all headers | View raw

On Thu, 29 Nov 2012 10:09:44 +0100, Thomas Rachel wrote:

> The variant with shell=True is more os.popen()-like, but has security
> flaws (e.g., what happens if there are spaces or, even worse, ";"s in the
> command string?

I think that you're conflating the shell= option with whether the command
is a given as a list or a string.

Attempting to construct a command string risks introducing security flaws
(or other bugs). Wherever possible, the first argument should be a list. A
string should only be used if that's what you're given (e.g. via a
configuration file), in which case it should be used literally, without
any attempt to substitute filenames or other parameters.

On Windows, list-versus-string and shell= are orthogonal. A list will
always be converted to a string, as that's what the underlying
CreateProcess() function requires. shell=True prepends "cmd /c " ("cmd" is
replaced by the value of %comspec% if that is defined); this allows
execution of batch files, scripts, etc based upon their associations.

On Unix, passing a list with shell=True is rarely useful. It just prepends
['/bin/sh', '-c'] to the list, so the first item is the shell command
while subsequent items provide the values for the shell variables $1, $2,
etc.

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

os.popen and the subprocess module Andrew <drew00andy@yahoo.co.uk> - 2012-11-27 20:00 +0200
  Re: os.popen and the subprocess module Tim Roberts <timr@probo.com> - 2012-11-28 20:14 -0800
  Re: os.popen and the subprocess module Thomas Rachel <nutznetz-0c1b6768-bfa9-48d5-a470-7603bd3aa915@spamschutz.glglgl.de> - 2012-11-29 10:09 +0100
    Re: os.popen and the subprocess module Nobody <nobody@nowhere.com> - 2012-11-29 18:39 +0000
      Re: os.popen and the subprocess module emile <emile@fenx.com> - 2012-11-30 10:01 -0800

csiph-web