[ python-Bugs-666700 ] os.popen+() can take string list and bypass
shell.
SourceForge.net
noreply at sourceforge.net
Tue Jan 11 16:19:32 CET 2005
Bugs item #666700, was opened at 2003-01-12 13:45
Message generated for change (Comment added) made by facundobatista
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=666700&group_id=5470
Category: Documentation
>Group: Python 2.4
Status: Open
Resolution: None
Priority: 5
Submitted By: Dani (asqui)
Assigned to: Nobody/Anonymous (nobody)
Summary: os.popen+() can take string list and bypass shell.
Initial Comment:
After being somewhat dumbfounded by the fact that there
is no easy way to securely give user input as
parameters to an external utility (because of the fact
that os.popen*() runs things in the shell), I was happy
to find that (os | popen2).popen[234]() will accept
either a string as the command and execute it within a
shell, or a string list which is executed directly.
This does not apply to os.popen(), however
popen2.popen[234]() all use this piece of code to
execute the command in the child process:
/usr/lib/python2.2/popen2.py
def _run_child(self, cmd):
if isinstance(cmd, types.StringTypes):
cmd = ['/bin/sh', '-c', cmd]
for i in range(3, MAXFD):
try:
os.close(i)
except:
pass
try:
os.execvp(cmd[0], cmd)
finally:
os._exit(1)
Meaning that unless cmd is a string it will be run
directly, outside of any shell.
This appears to be the case for os.popen[234]() as well
as popen2.popen*()
----------------------------------------------------------------------
>Comment By: Facundo Batista (facundobatista)
Date: 2005-01-11 12:19
Message:
Logged In: YES
user_id=752496
Jeremy, could you please provide a patch for the docs? Thanks!
----------------------------------------------------------------------
Comment By: Jeremy Fincher (jemfinch)
Date: 2005-01-11 12:08
Message:
Logged In: YES
user_id=99508
Yes, I believe it should.
----------------------------------------------------------------------
Comment By: Facundo Batista (facundobatista)
Date: 2005-01-11 00:34
Message:
Logged In: YES
user_id=752496
Should this be fixed in 2.4? Now we have the "subprocess"
module.
----------------------------------------------------------------------
Comment By: Facundo Batista (facundobatista)
Date: 2005-01-11 00:34
Message:
Logged In: YES
user_id=752496
Please, could you verify if this problem persists in Python 2.3.4
or 2.4?
If yes, in which version? Can you provide a test case?
If the problem is solved, from which version?
Note that if you fail to answer in one month, I'll close this bug
as "Won't fix".
Thank you!
. Facundo
----------------------------------------------------------------------
Comment By: Jeremy Fincher (jemfinch)
Date: 2003-09-23 19:34
Message:
Logged In: YES
user_id=99508
Can I second that the documentation should definitely be
updated to reflect this possibility, even if it's only
available on *nix-like systems? This is something that many
other languages in the same realm as Python (Perl, PHP,
etc.) support and document, and I can't see any good reason
why we *shouldn't* document a more secure way to give data
to external programs.
----------------------------------------------------------------------
Comment By: Bernhard Herzog (bernhard)
Date: 2003-08-05 13:04
Message:
Logged In: YES
user_id=2369
Given that the command as list of strings feature only works
on Unix-like systems, ISTM it should perhaps only be
documented for the PopenN classes. Maybe the documentation
for the functions should state that on unix they accept
lists of strings, though.
----------------------------------------------------------------------
Comment By: Dani (asqui)
Date: 2003-01-12 13:49
Message:
Logged In: YES
user_id=569758
(The punch line which I omitted was that this fact is not
documented anywhere.)
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=666700&group_id=5470
More information about the Python-bugs-list
mailing list