[issue21557] os.popen & os.system lack shell-related security warnings
R. David Murray
report at bugs.python.org
Wed Dec 3 22:32:25 CET 2014
R. David Murray added the comment:
Since Raymond is the person who tends to object most strongly to warning boxes in the docs, let's get his opinion on this. I'm not sure that the warning box is necessary, the text may be sufficient. On the other hand, this *is* a significant insecurity vector.
As far as the text goes, I'd combine the two paragraphs and introduce the text from the second one with "Alternatively, ...". And if it isn't a warning box, the the language should be refocused to be positive: "Use the Popen module with shell=False to avoid the common security issues involved in using unsanitized input from untrusted sources..."
----------
nosy: +r.david.murray, rhettinger
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue21557>
_______________________________________
More information about the Python-bugs-list
mailing list