[Python-checkins] r86419 - python/branches/py3k/Doc/library/subprocess.rst
r.david.murray
python-checkins at python.org
Fri Nov 12 01:35:32 CET 2010
Author: r.david.murray
Date: Fri Nov 12 01:35:31 2010
New Revision: 86419
Log:
#7950: add warning about security implications of shell=True to subprocess docs
Patch by Chris Rebert.
Modified:
python/branches/py3k/Doc/library/subprocess.rst
Modified: python/branches/py3k/Doc/library/subprocess.rst
==============================================================================
--- python/branches/py3k/Doc/library/subprocess.rst (original)
+++ python/branches/py3k/Doc/library/subprocess.rst Fri Nov 12 01:35:31 2010
@@ -76,6 +76,24 @@
Popen(['/bin/sh', '-c', args[0], args[1], ...])
+ .. warning::
+
+ Executing shell commands that incorporate unsanitized input from an
+ untrusted source makes a program vulnerable to `shell injection
+ <http://en.wikipedia.org/wiki/Shell_injection#Shell_injection>`_,
+ a serious security flaw which can result in arbitrary command execution.
+ For this reason, the use of *shell=True* is **strongly discouraged** in cases
+ where the command string is constructed from external input::
+
+ >>> from subprocess import call
+ >>> filename = input("What file would you like to display?\n")
+ What file would you like to display?
+ non_existent; rm -rf / #
+ >>> call("cat " + filename, shell=True) # Uh-oh. This will end badly...
+
+ *shell=False* does not suffer from this vulnerability; the above Note may be
+ helpful in getting code using *shell=False* to work.
+
On Windows: the :class:`Popen` class uses CreateProcess() to execute the child
program, which operates on strings. If *args* is a sequence, it will be
converted to a string using the :meth:`list2cmdline` method. Please note that
More information about the Python-checkins
mailing list