Sept. 5, 2015
11:59 a.m.
On 5 September 2015 at 12:36, Nikolaus Rath <Nikolaus@rath.org> wrote:
Hi Nick,
You are giving
runcommand(sh(i"cat {filename}"))
as an example that avoids injection attacks. While this is true, I think this is still a terrible anti-pattern[1] that should not be entombed in a PEP as a positive example.
Could you consider removing it?
(It doubly wastes resources by pointlessly calling a shell, and then by parsing & quoting the argument only for the shell to do the same in reverse).
Any reasonable implementation of that pattern wouldn't actually call a system shell, it would invoke something like Julia's command system. Cheers, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia