Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #77400 > unrolled thread

Re: subprocess module usage

Started byCameron Simpson <cs@zip.com.au>
First post2014-09-01 18:46 +1000
Last post2014-09-01 18:46 +1000
Articles 1 — 1 participant

Back to article view | Back to comp.lang.python

This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by below is the oldest one visible, not the original post.

Contents

  Re: subprocess module usage Cameron Simpson <cs@zip.com.au> - 2014-09-01 18:46 +1000

#77400 — Re: subprocess module usage

FromCameron Simpson <cs@zip.com.au>
Date2014-09-01 18:46 +1000
SubjectRe: subprocess module usage
Message-ID<mailman.13686.1409561223.18130.python-list@python.org>
On 01Sep2014 14:33, Earl Lapus <earl.lapus@gmail.com> wrote:
>On Mon, Sep 1, 2014 at 1:39 PM, Chris Angelico <rosuav@gmail.com> wrote:
>> Glad it's working! But please, don't just take my word for it and make
>> a black-box change to your code. When you invoke subprocesses, be sure
>> you understand what's going on, and when shell=True is appropriate and
>> when shell=False is appropriate. The docs should be fairly clear on
>> this. If you get this sort of thing wrong, you'll get weird errors
>> like this (if you're lucky), or open yourself up to shell injection
>> vulnerabilities (if you're not).
>
>The command and arguments that will be passed to check_output will not
>depend on user input. So, the chances of malicious commands from being
>executed would be low (right?).

Not really. If the arguments are coming in from the command line, someone (a 
user, even if that user is the programmer) typed them. Even if not malicious, 
they can still be mistaken. Or just unfortunate.

You should always want to do exactly what you're asked. If you misuse 
shell=True when the user is expecting shell=False (i.e. "just do what I 
said!"), then your program will not carry out the user's intent. If it does not 
fail outright, it will presumably do the _wrong_ thing.

Cheers,
Cameron Simpson <cs@zip.com.au>

Music journalism: People who can't write interviewing people who can't talk
for people who can't read.      - Frank Zappa

[toc] | [standalone]

Back to top | Article view | comp.lang.python

csiph-web