R. David Murray added the comment: Since setup.py can run arbitrary python code, it is pointless to worry about this from a security perspective. The change is otherwise not a bad idea, though, since it avoids filename quoting problems. Is there any chance this would break existing setup.py files that do their own quoting of the filenames to get around the quoting problem? I'm guessing not since the filename gets used in multiple contexts, and the other contexts probably require an unquoted filename. Which would make this a simple bug fix against bdist_rpm.
However, why not convert to using Popen? ---------- nosy: +r.david.murray type: security -> behavior versions: +Python 3.5, Python 3.6 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue25627> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
