[Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
mcepl at cepl.eu
Fri Sep 26 09:28:39 CEST 2014
On 2014-09-25, 23:14 GMT, Cameron Simpson wrote:
>>Fortunately, Python's subprocess has its `shell` argument default to
>>False. However, `os.system` invokes the shell implicitly and is
>>therefore a possible attack vector.
> Only if /bin/sh is bash :-) Not always the case, fortunately.
Where does your faith that other /bin/sh implementations (dash,
busybox, etc.) are less buggy comes from? On the contrary, bash
being the most used, beaten, patched, and studied of them all
has plenty of arguments to claim to be the most secure /bin/sh
implementation around. You just don't know about those other
guys bugs. No reason to believe hackers don't know about them
More information about the Python-Dev