➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2003-01-12 16:45 by asqui, last changed 2022-04-10 16:06 by admin. This issue is now closed.
| Messages (10) | |||
|---|---|---|---|
| msg14023 - (view) | Author: Dani (asqui) | Date: 2003-01-12 16:45 | |
After being somewhat dumbfounded by the fact that there
is no easy way to securely give user input as
parameters to an external utility (because of the fact
that os.popen*() runs things in the shell), I was happy
to find that (os | popen2).popen[234]() will accept
either a string as the command and execute it within a
shell, or a string list which is executed directly.
This does not apply to os.popen(), however
popen2.popen[234]() all use this piece of code to
execute the command in the child process:
/usr/lib/python2.2/popen2.py
def _run_child(self, cmd):
if isinstance(cmd, types.StringTypes):
cmd = ['/bin/sh', '-c', cmd]
for i in range(3, MAXFD):
try:
os.close(i)
except:
pass
try:
os.execvp(cmd[0], cmd)
finally:
os._exit(1)
Meaning that unless cmd is a string it will be run
directly, outside of any shell.
This appears to be the case for os.popen[234]() as well
as popen2.popen*()
|
|||
| msg14024 - (view) | Author: Dani (asqui) | Date: 2003-01-12 16:49 | |
Logged In: YES user_id=569758 (The punch line which I omitted was that this fact is not documented anywhere.) |
|||
| msg14025 - (view) | Author: Bernhard Herzog (bernhard) | Date: 2003-08-05 16:04 | |
Logged In: YES user_id=2369 Given that the command as list of strings feature only works on Unix-like systems, ISTM it should perhaps only be documented for the PopenN classes. Maybe the documentation for the functions should state that on unix they accept lists of strings, though. |
|||
| msg14026 - (view) | Author: Jeremy Fincher (jemfinch) | Date: 2003-09-23 22:34 | |
Logged In: YES user_id=99508 Can I second that the documentation should definitely be updated to reflect this possibility, even if it's only available on *nix-like systems? This is something that many other languages in the same realm as Python (Perl, PHP, etc.) support and document, and I can't see any good reason why we *shouldn't* document a more secure way to give data to external programs. |
|||
| msg14027 - (view) | Author: Facundo Batista (facundobatista) *  |
Date: 2005-01-11 03:34 | |
Logged In: YES user_id=752496 Please, could you verify if this problem persists in Python 2.3.4 or 2.4? If yes, in which version? Can you provide a test case? If the problem is solved, from which version? Note that if you fail to answer in one month, I'll close this bug as "Won't fix". Thank you! . Facundo |
|||
| msg14028 - (view) | Author: Facundo Batista (facundobatista) * |
Date: 2005-01-11 03:34 | |
Logged In: YES user_id=752496 Should this be fixed in 2.4? Now we have the "subprocess" module. |
|||
| msg14029 - (view) | Author: Jeremy Fincher (jemfinch) | Date: 2005-01-11 15:08 | |
Logged In: YES user_id=99508 Yes, I believe it should. |
|||
| msg14030 - (view) | Author: Facundo Batista (facundobatista) * |
Date: 2005-01-11 15:19 | |
Logged In: YES user_id=752496 Jeremy, could you please provide a patch for the docs? Thanks! |
|||
| msg14031 - (view) | Author: Jeremy Fincher (jemfinch) | Date: 2005-01-11 16:56 | |
Logged In: YES user_id=99508 I think I misunderstood your question. Yes, this *is* already fixed in the documentation for the subprocess module in 2.4. |
|||
| msg14032 - (view) | Author: Facundo Batista (facundobatista) * |
Date: 2005-05-30 20:03 | |
Logged In: YES user_id=752496 Ok, fixed. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-10 16:06:08 | admin | set | github: 37762 |
| 2003-01-12 16:45:44 | asqui | create | |