On 26.09.14 01:17, Antoine Pitrou wrote:
Fortunately, Python's subprocess has its `shell` argument default to False. However, `os.system` invokes the shell implicitly and is therefore a possible attack vector.
Fortunately dash (which is used as /bin/sh in Debian and Ubuntu) is not vulnerable.
$ x='() { :;}; echo gotcha' ./python -c 'import os; os.system("echo do something useful")'
do something useful _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com