[Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

[Serhiy Storchaka]

On 26.09.14 01:17, Antoine Pitrou wrote:
> Fortunately, Python's subprocess has its `shell` argument default to
> False. However, `os.system` invokes the shell implicitly and is
> therefore a possible attack vector.

Fortunately dash (which is used as /bin/sh in Debian and Ubuntu) is not 
vulnerable.

$ x='() { :;}; echo gotcha'  ./python -c 'import os; os.system("echo do 
something useful")'
do something useful