Serhiy Storchaka <[email protected]> added the comment:
Searching os.popen in code on GitHub gives around 4.5 millions of results.
Seems that most of them are with literal strings which are very specific to the
program, like
check2 = os.popen('grep "net\.ipv4\.ip_forward" /etc/sysctl.conf
/etc/sysctl.d/*').read()
They are not vulnerable to shell injection and other drawbacks of os.popen do
not matter in that cases. Most of that code looks like specialized scripts
rather than parts of general libraries.
Yes, some examples can be vulnerable to shell injection (although in they use
cases, with restricted data and environment, they can be pretty safe). But
deprecating os.popen can break millions of scripts and cause more harm than
prevent bugs.
It may be better strategy to document drawbacks and limitations of os.popen and
advertise alternatives.
----------
nosy: +serhiy.storchaka
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue42641>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
