Issue666700
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2003-01-12 16:45 by asqui, last changed 2022-04-10 16:06 by admin. This issue is now closed.
Messages (10) | |||
---|---|---|---|
msg14023 - (view) | Author: Dani (asqui) | Date: 2003-01-12 16:45 | |
After being somewhat dumbfounded by the fact that there is no easy way to securely give user input as parameters to an external utility (because of the fact that os.popen*() runs things in the shell), I was happy to find that (os | popen2).popen[234]() will accept either a string as the command and execute it within a shell, or a string list which is executed directly. This does not apply to os.popen(), however popen2.popen[234]() all use this piece of code to execute the command in the child process: /usr/lib/python2.2/popen2.py def _run_child(self, cmd): if isinstance(cmd, types.StringTypes): cmd = ['/bin/sh', '-c', cmd] for i in range(3, MAXFD): try: os.close(i) except: pass try: os.execvp(cmd[0], cmd) finally: os._exit(1) Meaning that unless cmd is a string it will be run directly, outside of any shell. This appears to be the case for os.popen[234]() as well as popen2.popen*() |
|||
msg14024 - (view) | Author: Dani (asqui) | Date: 2003-01-12 16:49 | |
Logged In: YES user_id=569758 (The punch line which I omitted was that this fact is not documented anywhere.) |
|||
msg14025 - (view) | Author: Bernhard Herzog (bernhard) | Date: 2003-08-05 16:04 | |
Logged In: YES user_id=2369 Given that the command as list of strings feature only works on Unix-like systems, ISTM it should perhaps only be documented for the PopenN classes. Maybe the documentation for the functions should state that on unix they accept lists of strings, though. |
|||
msg14026 - (view) | Author: Jeremy Fincher (jemfinch) | Date: 2003-09-23 22:34 | |
Logged In: YES user_id=99508 Can I second that the documentation should definitely be updated to reflect this possibility, even if it's only available on *nix-like systems? This is something that many other languages in the same realm as Python (Perl, PHP, etc.) support and document, and I can't see any good reason why we *shouldn't* document a more secure way to give data to external programs. |
|||
msg14027 - (view) | Author: Facundo Batista (facundobatista) * | Date: 2005-01-11 03:34 | |
Logged In: YES user_id=752496 Please, could you verify if this problem persists in Python 2.3.4 or 2.4? If yes, in which version? Can you provide a test case? If the problem is solved, from which version? Note that if you fail to answer in one month, I'll close this bug as "Won't fix". Thank you! . Facundo |
|||
msg14028 - (view) | Author: Facundo Batista (facundobatista) * | Date: 2005-01-11 03:34 | |
Logged In: YES user_id=752496 Should this be fixed in 2.4? Now we have the "subprocess" module. |
|||
msg14029 - (view) | Author: Jeremy Fincher (jemfinch) | Date: 2005-01-11 15:08 | |
Logged In: YES user_id=99508 Yes, I believe it should. |
|||
msg14030 - (view) | Author: Facundo Batista (facundobatista) * | Date: 2005-01-11 15:19 | |
Logged In: YES user_id=752496 Jeremy, could you please provide a patch for the docs? Thanks! |
|||
msg14031 - (view) | Author: Jeremy Fincher (jemfinch) | Date: 2005-01-11 16:56 | |
Logged In: YES user_id=99508 I think I misunderstood your question. Yes, this *is* already fixed in the documentation for the subprocess module in 2.4. |
|||
msg14032 - (view) | Author: Facundo Batista (facundobatista) * | Date: 2005-05-30 20:03 | |
Logged In: YES user_id=752496 Ok, fixed. |
History | |||
---|---|---|---|
Date | User | Action | Args |
2022-04-10 16:06:08 | admin | set | github: 37762 |
2003-01-12 16:45:44 | asqui | create |