[Python-ideas] shutil.runret and shutil.runout

Mike Meyer mwm at mired.org
Fri Feb 24 14:09:31 CET 2012

On Fri, 24 Feb 2012 15:00:25 +0200
anatoly techtonik <techtonik at gmail.com> wrote:

> On Fri, Feb 24, 2012 at 2:50 PM, Masklinn <masklinn at masklinn.net> wrote:
> > On 2012-02-24, at 12:12 , anatoly techtonik wrote:
> >> 1. they require try/catch
> > No.
> Quote from the docs:
> "Run command with arguments. Wait for command to complete. If the
> return code was zero then return, otherwise raise CalledProcessError."
> http://docs.python.org/library/subprocess.html#subprocess.check_call

Quote from the docs:

    subprocess.call(args, *, stdin=None, stdout=None, stderr=None, shell=False)
        Run the command described by args. Wait for command to complete,
        then return the returncode attribute.

No documented exceptions raised, so no need for try/catch.

> >> 2. docs still refer Popen, which IS complicated
> > True.
> >> 3. contain shell FUD
> > No, they contain warnings, against shell injection security
> > risks. Warnings are not FUD, it's not trying to sell some sort
> > of alternative it's just warning that `shell=True` is dangerous
> > on untrusted input.
> Warnings would be o.k. if they provided at least some guidelines where
> shell=True can be useful and where do you need to use Popen (or
> escaping). Without positive examples, and a little research to show
> attack vectors (so that users can analyse if they are applicable in
> their specific case) it is FUD IMO.

You mean something like (quoting from the docs):


    Executing shell commands that incorporate unsanitized input from
    an untrusted source makes a program vulnerable to shell injection,
    a serious security flaw which can result in arbitrary command
    execution. For this reason, the use of shell=True is strongly
    discouraged in cases where the command string is constructed from
    external input: 

    <example removed>

Mike Meyer <mwm at mired.org>		http://www.mired.org/
Independent Software developer/SCM consultant, email for more information.

O< ascii ribbon campaign - stop html mail - www.asciiribbon.org

More information about the Python-ideas mailing list