[ python-Bugs-666700 ] os.popen+() can take string list and bypass shell.

SourceForge.net noreply at sourceforge.net
Tue Jan 11 17:56:53 CET 2005

Bugs item #666700, was opened at 2003-01-12 11:45
Message generated for change (Comment added) made by jemfinch
You can respond by visiting: 

Category: Documentation
Group: Python 2.4
Status: Open
Resolution: None
Priority: 5
Submitted By: Dani (asqui)
Assigned to: Nobody/Anonymous (nobody)
Summary: os.popen+() can take string list and bypass shell.

Initial Comment:
After being somewhat dumbfounded by the fact that there
is no easy way to securely give user input as
parameters to an external utility (because of the fact
that os.popen*() runs things in the shell), I was happy
to find that (os | popen2).popen[234]() will accept
either a string as the command and execute it within a
shell, or a string list which is executed directly.

This does not apply to os.popen(), however
popen2.popen[234]() all use this piece of code to
execute the command in the child process:

    def _run_child(self, cmd):
        if isinstance(cmd, types.StringTypes):
            cmd = ['/bin/sh', '-c', cmd]
        for i in range(3, MAXFD):
            os.execvp(cmd[0], cmd)

Meaning that unless cmd is a string it will be run
directly, outside of any shell.

This appears to be the case for os.popen[234]() as well
as popen2.popen*()


Comment By: Jeremy Fincher (jemfinch)
Date: 2005-01-11 11:56

Logged In: YES 

I think I misunderstood your question.  Yes, this *is* already fixed in the 
documentation for the subprocess module in 2.4.


Comment By: Facundo Batista (facundobatista)
Date: 2005-01-11 10:19

Logged In: YES 

Jeremy, could you please provide a patch for the docs? Thanks!


Comment By: Jeremy Fincher (jemfinch)
Date: 2005-01-11 10:08

Logged In: YES 

Yes, I believe it should.


Comment By: Facundo Batista (facundobatista)
Date: 2005-01-10 22:34

Logged In: YES 

Should this be fixed in 2.4? Now we have the "subprocess"


Comment By: Facundo Batista (facundobatista)
Date: 2005-01-10 22:34

Logged In: YES 

Please, could you verify if this problem persists in Python 2.3.4
or 2.4?

If yes, in which version? Can you provide a test case?

If the problem is solved, from which version?

Note that if you fail to answer in one month, I'll close this bug
as "Won't fix".

Thank you! 

.    Facundo


Comment By: Jeremy Fincher (jemfinch)
Date: 2003-09-23 18:34

Logged In: YES 

Can I second that the documentation should definitely be
updated to reflect this possibility, even if it's only
available on *nix-like systems?  This is something that many
other languages in the same realm as Python (Perl, PHP,
etc.) support and document, and I can't see any good reason
why we *shouldn't* document a more secure way to give data
to external programs.


Comment By: Bernhard Herzog (bernhard)
Date: 2003-08-05 12:04

Logged In: YES 

Given that the command as list of strings feature only works
on Unix-like systems, ISTM it should perhaps only be
documented for the PopenN classes. Maybe the documentation
for the functions should state that on unix they accept
lists of strings, though.


Comment By: Dani (asqui)
Date: 2003-01-12 11:49

Logged In: YES 

(The punch line which I omitted was that this fact is not
documented anywhere.)


You can respond by visiting: 

More information about the Python-bugs-list mailing list