I am working on <https://bugs.python.org/issue22636>, to fix shell injection problems with ctypes.util.find_library(). The proposal for Python 3 is to change os.popen(shell-script) calls to use subprocess.Popen().
However the Python 2.7 version of the module has a comment which says “This file should be kept compatible with Python 2.3, see PEP 291.” Looking at <https://www.python.org/dev/peps/pep-0291/>, it is not clear why we have to maintain this compatibility. My best guess is that there may be an external ctypes package that people want(ed) to keep compatible with 2.3, and also keep synchronized with 2.7. I would like to lift this restriction to at least 2.4, because that is when the “subprocess” module was added. I notice that there is already code that relies on the list.sort(key=...) feature, which was added in 2.4. Ideally I would prefer to drop the restriction and only require 2.7 compatibility. Would either of these options be a problem? If it is a problem, I think it is still possible to avoid the shell by passing a sequence of program arguments to os.popen(). But I prefer not to do this, because the function is marked as deprecated, and the code would be substantially different to Python 3. -Martin _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
