[Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

Jeremy Sanders jeremy at jeremysanders.net
Fri Sep 26 09:28:15 CEST 2014

Antoine Pitrou wrote:

> Fortunately, Python's subprocess has its `shell` argument default to
> False. However, `os.system` invokes the shell implicitly and is
> therefore a possible attack vector.

Of course anything called by subprocess with shell=False may invoke the 
shell itself if it runs other processes.


More information about the Python-Dev mailing list