[issue13238] Add shell command helpers to shutil module
Nick Coghlan
report at bugs.python.org
Fri Oct 21 08:36:58 CEST 2011
Nick Coghlan <ncoghlan at gmail.com> added the comment:
And that's exactly the problem - a web developer's or security auditor's "shell injection" is a system administrator's "this language sucks".
These wrappers are the kind of thing you want for shell invocations when using Python as a replacement for a shell script or rewriting something that was originally written in Perl, but they're a terrible idea if anything you're interpolating came from an untrusted data source.
Currently, requiring "shell=True" in the arguments to the subprocess calls is considered a sufficient deterrent against people doing the wrong thing. I'm suggesting that requiring "import shutil" instead of "import subprocess" may be a similarly acceptable compromise that better serves the system administrators that choose to use Python for system automation tasks.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue13238>
_______________________________________
More information about the Python-bugs-list
mailing list