[Tutor] subprocess module: when to _NOT_ use shell=True
Eike Welk
eike.welk.lists1 at gmx.de
Mon Mar 11 00:27:39 CET 2013
On Sunday 10.03.2013 09:56:26 akleider at sonic.net wrote:
> I've not found anywhere a clear explanation of when not to set shell=True.
> If the command line must be interpreted by the shell then clearly this
> must be set. So the question that comes up is why not set it always?
Because ``shell=True`` is a security problem. It it is also not portable.
Someone might want to run your code on windows, which has no Bash.
The security problem arises when the command contains any user input. The user
could enter a bit of carefully crafted text, that tricks Bash into doing
something that you don't want. The technique is called "shell code injection".
The nicest example is the "Bobby tables" episode from XKCD, that covers a
similar situation with SQL injection:
http://www.explainxkcd.com/wiki/index.php?title=327:_Exploits_of_a_Mom
And on Wikipedia:
http://en.wikipedia.org/wiki/Code_injection#Shell_injection
--
Eike.
More information about the Tutor
mailing list