On Wed, May 23, 2012 at 7:00 PM, Steven D'Aprano <steve@pearwood.info> wrote:

anatoly techtonik wrote:

I am all ears how to make shutil.run() more secure. Right now I must
confess that I don't even realize.how serious is this problems, so if
anyone can came up with a real-world example with explanation of
security concern that could be copied "as-is" into documentation, it
will surely be appreciated not only by me.

Start here:

http://cwe.mitre.org/top25/index.html

Code injection attacks include two of the top three security vulnerabilities, over even buffer overflows.

One sub-category of code injection:

OS Command Injection
http://cwe.mitre.org/data/definitions/78.html

I talked about this in my pycon talk this year. It's easy to avoid and disastrous to get wrong. Please don't do it this way.

Geremy Condra

--
Steven

_______________________________________________
Python-ideas mailing list
Python-ideas@python.org
http://mail.python.org/mailman/listinfo/python-ideas