[Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

Antoine Pitrou solipsis at pitrou.net
Fri Sep 26 15:03:51 CEST 2014

On Fri, 26 Sep 2014 14:56:05 +0200
Stefan Behnel <stefan_ml at behnel.de> wrote:
> Jeremy Sanders schrieb am 26.09.2014 um 09:28:
> > Antoine Pitrou wrote:
> > 
> >> Fortunately, Python's subprocess has its `shell` argument default to
> >> False. However, `os.system` invokes the shell implicitly and is
> >> therefore a possible attack vector.
> > 
> > Of course anything called by subprocess with shell=False may invoke the 
> > shell itself if it runs other processes.
> Ok, but does that really make it a relevant topic for python-dev?

No. I don't know why the OP posted here.
(but we have all kinds of borderline discussion threads these days, and
people don't seem to care when they are asked to move the discussion
elsewhere, so...)



More information about the Python-Dev mailing list