On Fri, Sep 26, 2014 at 10:29 AM, Devin Jeanpierre
<jeanpierr...@gmail.com> wrote:
> As I understand it, if the attacker can help specify the environment
> (e.g. this is a CGI script), and you run os.system('echo hi'), you can
> get pwned. Even safe uses of os.system are vulnerable unless you point
> /bin/sh at a secure shell (e.g. patched bash)./bin/sh may well not point to bash anyway - it doesn't on any of my systems. Debian provides dash instead, much faster than bash. But if you're invoking a script that calls for bash, then it's vulnerable. ChrisA _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
