Definitely agree with Justin - you should be avoiding shell=True unless you
need to use the shell syntax for some reason. It's often used because
sometimes people get lazy, and don't want to split a command up into
separate strings, ie:
```python
Popen('ls /some/file', shell=True)
```
instead of
```python
Popen(['ls', '/some/file'])
```
However, the biggest problem is that if "/some/file" is from some sort of
variable, you now need to make sure you properly escape it, ie:
```python
arg = '/some/file with a space.txt'
Popen('ls {}'.format(pipes.quote(arg)), shell=True)
```
...which most people don't bother doing - but you always should*. So,
short answer: always use shell=False unless you've got some good reason you
want to use bash/cmd/whatever. (Which reminds me, is another potential
issue with shell=True - less cross platform compatibility. Though,
honestly, if you're calling out a process by name, 90% of the time you're
going to need to make tweaks per-platform anyway...)
- Paul
*Also, I'm mostly just talking about accidental bugs (like the spaces in
the filename), as opposed to security vulnerabilities / malicious intent.
I suspect that something like pipes.quote is fairly naive, and could
probably be fooled by some determined hacker who knew all the details of
string escaping on your particular platform / shell.
On Fri, Nov 17, 2017 at 1:03 AM Panupat Chongstitwattana <[email protected]>
wrote:
> Thank you Justin. Appreciate your input. The Shell=True was out of
> curiosity since I see it being used in many script examples.
>
> On Tuesday, November 14, 2017 at 1:32:03 AM UTC+7, Justin Israel wrote:
>
>>
>>
>> On Tue, Nov 14, 2017, 1:53 AM Panupat Chongstitwattana <[email protected]>
>> wrote:
>>
>>> Thank you Justin! You're right env.dic was my mistake.
>>>
>>> Is the security risk a thing we should be concerned in a studio
>>> environment? Im trying to set up a system that would load the correct
>>> version of plug-ins for each project by launching Maya with custom Env.
>>>
>>
>> It's only a concern if you generate your shell command based on arbitrary
>> user input. And example is reading some kind of string from the command
>> line flags and building that into your Popen command. If you are purely
>> building the command internally and you aren't basing the command off of
>> aliases or environment variables then its less of a risk. It's also less of
>> a risk if it's not a privileged process.
>>
>> Why do you specifically need shell=True anyways? What does your command
>> look like? If you are just building a single command to launch Maya under
>> an env, and this program is just a bootstrap to launch Maya, then maybe
>> what you want is on of the os.exec* functions, to exec a new program and
>> replace the current one.
>>
>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Python Programming for Autodesk Maya" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/python_inside_maya/8efde786-eeed-48b4-bd03-51419ba44b87%40googlegroups.com
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Python Programming for Autodesk Maya" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/python_inside_maya/fa8da1bf-c587-4b14-83bb-4be6d31f75b9%40googlegroups.com
> <https://groups.google.com/d/msgid/python_inside_maya/fa8da1bf-c587-4b14-83bb-4be6d31f75b9%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Python Programming for Autodesk Maya" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/python_inside_maya/CAAssL7b6%3Dcj1U3Bfo5Ofr6K7HodYOFhw7WFUpH1upWM6vXCyGg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
