[Python-ideas] shutil.runret and shutil.runout
Nick Coghlan
ncoghlan at gmail.com
Fri Feb 24 13:14:42 CET 2012
On Fri, Feb 24, 2012 at 9:46 PM, anatoly techtonik <techtonik at gmail.com> wrote:
> This is *the main point* that make subprocess module a failure, and a
> basis (main reason) of this proposal.
Anatoly, this is the exact kind of blanket statement that pisses
people off and makes them stop listening to you. The subprocess module
is not a failure by any means. Safely invoking subprocesses is a *hard
problem*. Other languages make the choice "guarding against shell
injections is a problem for the user to deal with" and allow them by
default in their subprocess invocation interfaces. They also make the
choice that the risk of data leakage through user provided format
strings is something for the developer to worry about and allow
implicit string interpolation.
Python doesn't allow either of those as a *deliberate design choice*.
The current behaviour isn't an accident, or due to neglect, or because
we're stupid. Instead, we default to the more secure, less convenient
options, and allow people to explicitly request the insecure behaviour
if they either:
1. don't care; or
2. do care, but also know it isn't actually a problem for their use case.
This is a *good thing* if you're an application programmer - secure
defaults lets you conduct security audits by looking specifically for
cases where the safety checks have been bypassed. However, it mostly
sucks if you're wanting to use Python for system administration (or
similar) tasks where the shell is an essential tool rather than a
security risk and there's no untrusted data that comes anywhere near
your script.
I'll repeat my suggestion: if you want to do something *constructive*
about this, get Shell Command from PyPI and start using it, as it aims
to address both the shell invocation and the string interpolation
aspects of this issue. If you find problems, report them on the
module's issue tracker (although I'll point out in advance that STDERR
being separate from STDOUT by default is *deliberate*. If people want
them merged they can include a redirection in their shell command.
Otherwise STDERR needs to remain mapped to the same stream as it is in
the parent process so that tools like getpass() will still work in an
invoked shell command).
Regards,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Python-ideas
mailing list