[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

STINNER Victor added the comment: No problemo. -- ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Martin Panter added the comment: Sorry about impersonating your name as committer Victor. I have been fixing this problem in recent patches, but because I imported your patch a while ago I forgot about it. -- resolution: -> fixed stage: patch review -> resolved status: open -> closed

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Roundup Robot added the comment: New changeset a09ae70f3489 by Victor Stinner in branch '2.7': Issue #22636: Avoid using a shell in the ctypes.util module https://hg.python.org/cpython/rev/a09ae70f3489 -- ___ Python tracker

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Serhiy Storchaka added the comment: ctypes_util_popen-6.py2.patch LGTM. -- ___ Python tracker ___ ___

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Martin Panter added the comment: Updated Py 2 patch to handle OSError when shell=True is not used -- Added file: http://bugs.python.org/file43387/ctypes_util_popen-6.py2.patch ___ Python tracker

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Roundup Robot added the comment: New changeset 96d297e9a8a8 by Martin Panter in branch '3.5': Issue #22636: Handle OSError from subprocess, e.g. if command not found https://hg.python.org/cpython/rev/96d297e9a8a8 New changeset a6a36bb6ee50 by Martin Panter in branch 'default': Issue #22636:

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Martin Panter added the comment: An Open Indiana buildbot failed. The old code let the shell print any errors about missing programs to /dev/null, so I will change the subprocess calls to handle OSError. == ERROR: setUpModule

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Martin Panter added the comment: Updated Py 2 patch to v5 with the added GCC comment -- Added file: http://bugs.python.org/file43383/ctypes_util_popen-5.py2.patch ___ Python tracker

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Roundup Robot added the comment: New changeset 0715d403cae2 by Martin Panter in branch '3.5': Issue #22636: avoid using a shell in the ctypes.util module https://hg.python.org/cpython/rev/0715d403cae2 New changeset 60613ecad578 by Martin Panter in branch 'default': Issue #22636: Merge

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Serhiy Storchaka added the comment: ctypes_util_popen-5.py3.patch LGTM. -- ___ Python tracker ___ ___

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Martin Panter added the comment: Yes a comment sounds like a good idea. Here is a new Py 3 patch. -- Added file: http://bugs.python.org/file43329/ctypes_util_popen-5.py3.patch ___ Python tracker

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

STINNER Victor added the comment: Maybe the failure should be explained in a comment? (Sorry I din't read the patch.) -- ___ Python tracker ___

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Martin Panter added the comment: Yes it is okay. The code is compiling a dummy file without main(), just to see what libraries GCC tries to link with it. It is only interested in extracting the line matching *libc.so.*, which in your case should be /lib/i386-linux-gnu/libc.so.6 So you should

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Serhiy Storchaka added the comment: It looks to me that the command used in _findLib_gcc always fails. $ LANG=C LC_ALL=C gcc -Wl,-t -o ttt -lc /usr/bin/ld: mode elf_i386 /usr/lib/gcc/i686-linux-gnu/5/../../../i386-linux-gnu/crt1.o /usr/lib/gcc/i686-linux-gnu/5/../../../i386-linux-gnu/crti.o

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Martin Panter added the comment: Updated Python 2 patch merged with recent changes. I will commit at least the Python 3 version soon, because the existing code sets a bad example for potential additions (Issue 26439). -- Added file:

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Martin Panter added the comment: FTR the Python 2.3 compatibility restriction was lifted; see . -- ___ Python tracker

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Changes by Martin Panter : Added file: http://bugs.python.org/file42800/crle ___ Python tracker ___

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Changes by Martin Panter : Added file: http://bugs.python.org/file42799/ldconfig ___ Python tracker ___

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Martin Panter added the comment: Uploading the fake commands I used for testing. -- Added file: http://bugs.python.org/file42798/dump ___ Python tracker

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Martin Panter added the comment: Here is a possible patch for Python 2. One snag is that ctypes is currently supposed to be compatible with Python 2.3, but subprocess was added in 2.4. The patch assumes it is okay to lift that compatibility restriction. The main differences are: *

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Martin Panter added the comment: I merged Victor’s patch with the current code and addressed most of the comments: * restore re.escape() * single "-l" + name argument * copy with dict(os.environ) * redirect GCC stderr=STDOUT * changed tempfile cleanup to try / finally I also added a test

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Martin Panter added the comment: There are a few review comments that probably need addressing. -- stage: patch review -> needs patch ___ Python tracker

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Martin Panter added the comment: Marking for bug fix in 2.7, requested in Issue 25751. -- type: enhancement -> behavior versions: +Python 2.7, Python 3.4, Python 3.6 ___ Python tracker

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Martin Panter added the comment: I think it is better to return None without an exception, to keep the current behaviour, and because that’s what the documentation implies. -- ___ Python tracker

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Martin Panter added the comment: See Issue 25751 for some demo exploits on Linux, if anyone wants inspiration for test cases. Maybe this should be applied as a bug fix. I haven’t looked at the patch, other than confirming it removes all five os.popen() calls. -- nosy: +martin.panter

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Changes by Martin Panter : -- components: +ctypes ___ Python tracker ___ ___

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Changes by Barry A. Warsaw ba...@python.org: -- nosy: +barry ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22636 ___ ___ Python-bugs-list mailing

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Changes by STINNER Victor victor.stin...@gmail.com: -- nosy: +serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22636 ___ ___

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

STINNER Victor added the comment: Updated patch which address also BSD and Solaris systems. I also changed the behaviour when a required command is missing: return None instead of raising an OSError. In the current code, when a command is missing, the shell scripts return the exit code 10.

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Changes by Antoine Pitrou pit...@free.fr: -- nosy: +koobs ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22636 ___ ___ Python-bugs-list mailing

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

New submission from STINNER Victor: Attached patch modifies the ctypes.util module to not use a shell: it replaces os.open() with subprocess.Popen on Linux. Running a shell is slower and is more vulnerable to code injection. I only modified code path on Linux right now. They are still calls

[issue22636] avoid using a shell in ctypes.util: replace os.popen with subprocess

Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com: -- nosy: +Arfrever ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22636 ___