Christoph Neuroth christoph.neur...@googlemail.com added the comment:
As recommended by eric.smith on #7950, I'd like to suggest further extending
the documentation to include a security warning about (quite easily) possible
code injection bugs when using the shell=True parameter (similar to
Chris Rebert pyb...@rebertia.com added the comment:
One problem with the 3.x versions: the raw_input() should be input().
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
___
R. David Murray rdmur...@bitdance.com added the comment:
Thanks for catching that. Fixed r77987 r77988.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
___
Chris Rebert pyb...@rebertia.com added the comment:
Okay, now if this could just get dev review...
--
Added file: http://bugs.python.org/file16128/subprocess.rst.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
Changes by Chris Rebert pyb...@rebertia.com:
Removed file: http://bugs.python.org/file16109/subprocess.rst.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
___
Eric Smith e...@trueblade.com added the comment:
I think this is an improvement to the existing docs, and should be committed.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
___
Changes by Nick Coghlan ncogh...@gmail.com:
Removed file: http://bugs.python.org/file16098/subprocess.rst.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
___
Nick Coghlan ncogh...@gmail.com added the comment:
Committed for 2.7 as r77959.
Still needs to be merged to the other branches.
--
resolution: - accepted
status: open - pending
___
Python tracker rep...@bugs.python.org
Eric Smith e...@trueblade.com added the comment:
When merging to py3k, don't forget to modify the print statement to be a
function.
--
status: pending - open
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
R. David Murray rdmur...@bitdance.com added the comment:
Merged as part of r77961 (2.6), r77962 (py3k), and r77963 (3.1). Print fixed
for py3.
--
stage: patch review - committed/rejected
status: open - closed
___
Python tracker
Chris Rebert pyb...@rebertia.com added the comment:
Thanks to all for the copious feedback suggestions, and R. David Murray for
his superior docs writing skills!
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
Antoine Pitrou pit...@free.fr added the comment:
I still think this is much too verbose. The second note looks redundant with
the first one and the third one.
Remember, the notes you are adding may be useful, but they'll also make reading
the whole page more tedious.
--
Chris Rebert pyb...@rebertia.com added the comment:
Well, the same basic example is used for cohesiveness, but the issue/pitfall
being highlighted in each note is distinct. But you have a point about shlex
being pointed out twice, so here's a version with that redundancy excised.
--
R. David Murray rdmur...@bitdance.com added the comment:
I like the idea of pointing out that shlex can be used to determine exactly
what to pass to subprocess, but I agree that the proposed patch is too wordy
(and still too much in a negative voice).
Here is an alternate simpler patch.
Note
R. David Murray rdmur...@bitdance.com added the comment:
Hmm. Somehow the patch got lost. Let's try again.
--
Added file: http://bugs.python.org/file16099/subprocess-doc.patch
___
Python tracker rep...@bugs.python.org
Changes by R. David Murray rdmur...@bitdance.com:
Removed file: http://bugs.python.org/file16099/subprocess-doc.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
___
R. David Murray rdmur...@bitdance.com added the comment:
Woops, spotted a word I left out. Fixed.
--
Added file: http://bugs.python.org/file16100/subprocess-doc.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
Eric Smith e...@trueblade.com added the comment:
From David's patch:
Note in particular that options and their arguments go in separate list
elements, while arguments that need quoting when used in the shell
(such as filenames containing spaces or the python command shown
above) are
Chris Rebert pyb...@rebertia.com added the comment:
Counterpatch incorporating R. David Murray's succinctness improvements while
retaining correct positioning of the first note, managing to incorporate the
3rd note not present in Mr. Murray's, and including more precise wording to
address the
Changes by Chris Rebert pyb...@rebertia.com:
Removed file: http://bugs.python.org/file15033/subprocess.rst.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
___
Changes by Chris Rebert pyb...@rebertia.com:
Removed file: http://bugs.python.org/file16095/subprocess.rst.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
___
Changes by R. David Murray rdmur...@bitdance.com:
Removed file: http://bugs.python.org/file16100/subprocess-doc.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
___
R. David Murray rdmur...@bitdance.com added the comment:
By the way, I've been wanting the Popen docs improved for a long time but never
got around to it, so thanks for pushing for this.
--
___
Python tracker rep...@bugs.python.org
R. David Murray rdmur...@bitdance.com added the comment:
My placement of the note was carefully considered. It is discussing the
shell=False case and IMO belongs after that paragraph. I understand now your
concern about the note I omitted...and again I think this is a bug in the Popen
API.
Antoine Pitrou pit...@free.fr added the comment:
The following sentences look like a distraction to me:
« Additional quoting may be required because the entire string is a Python
string. It may be useful to use a Python raw string in complex cases. »
It is true of every string literal and is
Chris Rebert pyb...@rebertia.com added the comment:
This version takes Murray's most recent draft, applies some minor tweaks from
my prior patch, and has the python -c etc. changed to echo '$MONEY' so the
sh -c comment is completely unambiguous (and it's a simpler example generally).
Whether
Changes by Chris Rebert pyb...@rebertia.com:
Removed file: http://bugs.python.org/file16101/subprocess.rst.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
___
R. David Murray rdmur...@bitdance.com added the comment:
I'm happy to delete the two sentences about quoting.
As for -c, you are so right that it is cryptic. In the new version of the
patch I've changed the sentence to be as precise as possible, but I'm not at
all convinced that it is less
R. David Murray rdmur...@bitdance.com added the comment:
The change to echo is an excellent improvement. You forgot to change 'python'
to 'echo' in the following paragraph, though. You are also correct about
/bin/sh vs sh, my bad. And I was even looking at the source code when I wrote
Changes by Chris Rebert pyb...@rebertia.com:
Added file: http://bugs.python.org/file16109/subprocess.rst.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
___
Changes by Chris Rebert pyb...@rebertia.com:
Removed file: http://bugs.python.org/file16108/subprocess.rst.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
___
Eric Smith e...@trueblade.com added the comment:
Now you need to put the import of subprocess back in!
Otherwise it looks good to me.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
Antoine Pitrou pit...@free.fr added the comment:
This is a particularly verbose patch for the information it is trying to convey.
--
nosy: +pitrou
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
Terry J. Reedy tjre...@udel.edu added the comment:
The note starts out Do not (do x) unless you're not (doing y). This is
confusing. I believe this means If you are (doing y), you may (do x). If so,
please write it so. If not, please write what you do mean.
After thinking about it, Only (do
Terry J. Reedy tjre...@udel.edu added the comment:
PS. I only looked at the style of the patch. Once that is clearer, someone who
knows more than me needs to review it for content correctness.
--
___
Python tracker rep...@bugs.python.org
Chris Rebert pyb...@rebertia.com added the comment:
Working on a more concise new draft...
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
___
Chris Rebert pyb...@rebertia.com added the comment:
Okay; new, hopefully better, draft. Feedback?
--
versions: -Python 3.1
Added file: http://bugs.python.org/file16094/subprocess.rst.patch
___
Python tracker rep...@bugs.python.org
Brian Curtin cur...@acm.org added the comment:
The raw_input() doesn't provide anything. I'd just drop that and pass the
string directly to shlex.split.
Do not put an argument-taking option together with its argument as a single
item in the *args* list
-- Something like Argument-taking
Chris Rebert pyb...@rebertia.com added the comment:
Gonna have to disagree about the raw_input(), because the escaping involved
would complicate the example and could be distracting/confusing.
Rest of Brian's suggestions taken into account.
--
Added file:
Changes by Chris Rebert pyb...@rebertia.com:
Removed file: http://bugs.python.org/file14770/subprocess.rst.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
___
Changes by Chris Rebert pyb...@rebertia.com:
Removed file: http://bugs.python.org/file16094/subprocess.rst.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
___
Changes by Nick Coghlan ncogh...@gmail.com:
--
nosy: +ncoghlan
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
___
___
Python-bugs-list mailing
Chris Rebert pyb...@rebertia.com added the comment:
Ok, changed to note directives instead of warnings. Anything else
that keeps this from being applied?
--
Added file: http://bugs.python.org/file15033/subprocess.rst.patch
___
Python tracker
Changes by Chris Rebert pyb...@rebertia.com:
Removed file: http://bugs.python.org/file14817/subprocess.rst.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
___
Benjamin Peterson benja...@python.org added the comment:
We are trying to cut down on the number of warning directives in the
docs; I think a note directive would be appropriate for yours.
--
nosy: +benjamin.peterson
___
Python tracker
Changes by Chris Rebert pyb...@rebertia.com:
--
versions: +Python 3.1, Python 3.2
Added file: http://bugs.python.org/file14817/subprocess.rst.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
New submission from Chris Rebert pyb...@rebertia.com:
From what I've seen on several c.l.p threads, some people have a tough
time figuring the correct 'args' argument to subprocess.Popen's
constructor. In an effort to cut down on such discussions in the future,
I've written the attached docs
Changes by Chris Rebert pyb...@rebertia.com:
--
type: - feature request
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6760
___
___
48 matches
Mail list logo
