On 5 September 2015 at 12:36, Nikolaus Rath <nikol...@rath.org> wrote:
> Hi Nick,
>
> You are giving
>
> runcommand(sh(i"cat {filename}"))
>
> as an example that avoids injection attacks. While this is true, I think
> this is still a terrible anti-pattern[1] that should not be entombed in
> a PEP as a positive example.
>
> Could you consider removing it?
>
> (It doubly wastes resources by pointlessly calling a shell, and then by
> parsing & quoting the argument only for the shell to do the same in
> reverse).
Any reasonable implementation of that pattern wouldn't actually call a
system shell, it would invoke something like Julia's command system.
Cheers,
Nick.
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
