This was helpful: http://sarge.readthedocs.org/en/latest/internals.html#how-shell-quoting-works -- Wes Turner
On Thu, Sep 25, 2014 at 5:17 PM, Antoine Pitrou <solip...@pitrou.net> wrote: > On Thu, 25 Sep 2014 13:00:16 -0700 > Bob Hanson <d2mp...@newsguy.com> wrote: >> Critical bash vulnerability CVE-2014-6271 may affect Python on >> *n*x and OSX: >> >> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271> >> >> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/> >> >> <http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html> >> >> <http://www.openwall.com/lists/oss-security/2014/09/24/17> >> >> Also see <news:gmane.comp.security.fulldisclosure> for thread on >> same being started today. > > Fortunately, Python's subprocess has its `shell` argument default to > False. However, `os.system` invokes the shell implicitly and is > therefore a possible attack vector. > > Regards > > Antoine. > > > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > https://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > https://mail.python.org/mailman/options/python-dev/wes.turner%40gmail.com _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
