[Python-ideas] shutil.run (Was: shutil.runret and shutil.runout)

anatoly techtonik techtonik at gmail.com
Mon Jun 4 11:47:48 CEST 2012


On Thu, May 24, 2012 at 6:24 AM, geremy condra <debatem1 at gmail.com> wrote:
> On Wed, May 23, 2012 at 7:00 PM, Steven D'Aprano <steve at pearwood.info>
> wrote:
>>
>> anatoly techtonik wrote:
>>
>>> I am all ears how to make shutil.run() more secure. Right now I must
>>> confess that I don't even realize.how serious is this problems, so if
>>> anyone can came up with a real-world example with explanation of
>>> security concern that could be copied "as-is" into documentation, it
>>> will surely be appreciated not only by me.
>>
>>
>> Start here:
>>
>> http://cwe.mitre.org/top25/index.html
>>
>> Code injection attacks include two of the top three security
>> vulnerabilities, over even buffer overflows.
>>
>> One sub-category of code injection:
>>
>> OS Command Injection
>> http://cwe.mitre.org/data/definitions/78.html

Great links. Thanks. Do they still too generic to be placed in docs?

>
> I talked about this in my pycon talk this year. It's easy to avoid and
> disastrous to get wrong. Please don't do it this way.

Sorry, don't have too much time to watch it right now. Any specific
slides, ideas or exceprts?
--
anatoly t.



More information about the Python-ideas mailing list