On Thu, May 24, 2012 at 6:24 AM, geremy condra
On Wed, May 23, 2012 at 7:00 PM, Steven D'Aprano
wrote: anatoly techtonik wrote:
I am all ears how to make shutil.run() more secure. Right now I must confess that I don't even realize.how serious is this problems, so if anyone can came up with a real-world example with explanation of security concern that could be copied "as-is" into documentation, it will surely be appreciated not only by me.
Start here:
http://cwe.mitre.org/top25/index.html
Code injection attacks include two of the top three security vulnerabilities, over even buffer overflows.
One sub-category of code injection:
OS Command Injection http://cwe.mitre.org/data/definitions/78.html
Great links. Thanks. Do they still too generic to be placed in docs?
I talked about this in my pycon talk this year. It's easy to avoid and disastrous to get wrong. Please don't do it this way.
Sorry, don't have too much time to watch it right now. Any specific slides, ideas or exceprts? -- anatoly t.