On Wed, May 23, 2012 at 7:00 PM, Steven D'Aprano
<steve@pearwood.info> wrote:
anatoly techtonik wrote:
I am all ears how to make shutil.run() more secure. Right now I must
confess that I don't even realize.how serious is this problems, so if
anyone can came up with a real-world example with explanation of
security concern that could be copied "as-is" into documentation, it
will surely be appreciated not only by me.
Start here:
http://cwe.mitre.org/top25/index.html
Code injection attacks include two of the top three security vulnerabilities, over even buffer overflows.
One sub-category of code injection:
OS Command Injection
http://cwe.mitre.org/data/definitions/78.html
I talked about this in my pycon talk this year. It's easy to avoid and disastrous to get wrong. Please don't do it this way.
Geremy Condra
--
Steven