[Python-bugs-list] [ python-Bugs-666700 ] os.popen+() can take string list and bypass shell.
SourceForge.net
noreply@sourceforge.net
Sun, 12 Jan 2003 08:49:34 -0800
Bugs item #666700, was opened at 2003-01-12 16:45
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=666700&group_id=5470
Category: Documentation
Group: Python 2.2.2
Status: Open
Resolution: None
Priority: 5
Submitted By: Dani (asqui)
Assigned to: Nobody/Anonymous (nobody)
Summary: os.popen+() can take string list and bypass shell.
Initial Comment:
After being somewhat dumbfounded by the fact that there
is no easy way to securely give user input as
parameters to an external utility (because of the fact
that os.popen*() runs things in the shell), I was happy
to find that (os | popen2).popen[234]() will accept
either a string as the command and execute it within a
shell, or a string list which is executed directly.
This does not apply to os.popen(), however
popen2.popen[234]() all use this piece of code to
execute the command in the child process:
/usr/lib/python2.2/popen2.py
def _run_child(self, cmd):
if isinstance(cmd, types.StringTypes):
cmd = ['/bin/sh', '-c', cmd]
for i in range(3, MAXFD):
try:
os.close(i)
except:
pass
try:
os.execvp(cmd[0], cmd)
finally:
os._exit(1)
Meaning that unless cmd is a string it will be run
directly, outside of any shell.
This appears to be the case for os.popen[234]() as well
as popen2.popen*()
----------------------------------------------------------------------
>Comment By: Dani (asqui)
Date: 2003-01-12 16:49
Message:
Logged In: YES
user_id=569758
(The punch line which I omitted was that this fact is not
documented anywhere.)
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=666700&group_id=5470