[New-bugs-announce] [issue7950] subprocess.Popen documentation should contain a good warning about the security implications when using shell=True

Christoph Neuroth report at bugs.python.org
Wed Feb 17 11:15:59 CET 2010


New submission from Christoph Neuroth <christoph.neuroth at googlemail.com>:

Currently, the documentation of subprocess only says "Calling the program through the shell is usually not required.". IMHO there should be a real warning (like, in its own box with a couple of big exclamation marks ;)) about the security implications of using this and detailed instructions of how to avoid it. People tend to use this functionality just because they "know how to use the shell" and its just so convenient - and by doing so they create huge security holes in their applications.

----------
assignee: georg.brandl
components: Documentation
messages: 99465
nosy: christoph.neuroth, georg.brandl
severity: normal
status: open
title: subprocess.Popen documentation should contain a good warning about the security implications when using shell=True
type: security
versions: Python 2.6, Python 3.1

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue7950>
_______________________________________


More information about the New-bugs-announce mailing list