[issue21557] os.popen os.system lack shell-related security warnings
Changes by Demian Brecht demianbre...@gmail.com: -- nosy: -demian.brecht ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21557 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21557] os.popen os.system lack shell-related security warnings
Changes by STINNER Victor victor.stin...@gmail.com: -- nosy: +haypo ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21557 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21557] os.popen os.system lack shell-related security warnings
STINNER Victor added the comment: Python 3.5 doc has no red warning in the subprocess module, but a nice section: https://docs.python.org/dev/library/subprocess.html#security-considerations Why not simply copying the note of the subprocess doc? Note: Read the Security Considerations section before using shell=True. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21557 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21557] os.popen os.system lack shell-related security warnings
STINNER Victor added the comment: subprocess.getstatusoutput(cmd) needs also this note (or warning). -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21557 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21557] os.popen os.system lack shell-related security warnings
Demian Brecht added the comment: After discussion in Rietveld, the patch looks good to me. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21557 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21557] os.popen os.system lack shell-related security warnings
R. David Murray added the comment: Since Raymond is the person who tends to object most strongly to warning boxes in the docs, let's get his opinion on this. I'm not sure that the warning box is necessary, the text may be sufficient. On the other hand, this *is* a significant insecurity vector. As far as the text goes, I'd combine the two paragraphs and introduce the text from the second one with Alternatively, And if it isn't a warning box, the the language should be refocused to be positive: Use the Popen module with shell=False to avoid the common security issues involved in using unsanitized input from untrusted sources... -- nosy: +r.david.murray, rhettinger ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21557 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21557] os.popen os.system lack shell-related security warnings
Chris Rebert added the comment: Here is a patch that adds the necessary warnings from issue 7950. Please review it when you get a chance. -- keywords: +patch Added file: http://bugs.python.org/file37338/fix-21557.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21557 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21557] os.popen os.system lack shell-related security warnings
Demian Brecht added the comment: Left a comment in Rietveld. -- nosy: +demian.brecht ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21557 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21557] os.popen os.system lack shell-related security warnings
New submission from Chris Rebert: Since these functions run shell commands, which is a common vector for security-related bugs (see * http://cwe.mitre.org/data/definitions/78.html * http://cwe.mitre.org/data/definitions/88.html ), I suggest that they should have security warning boxes analogous to the one for the `subprocess` module: https://docs.python.org/2/library/subprocess.html#frequently-used-arguments -- assignee: docs@python components: Documentation messages: 218921 nosy: cvrebert, docs@python priority: normal severity: normal status: open title: os.popen os.system lack shell-related security warnings versions: Python 2.7, Python 3.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21557 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com