[issue25627] distutils : file "bdist_rpm.py" allows Shell injection in "name"

R. David Murray added the comment: Since setup.py can run arbitrary python code, it is pointless to worry about this from a security perspective. The change is otherwise not a bad idea, though, since it avoids filename quoting problems. Is there any chance this would break existing setup.py

[issue25627] distutils : file "bdist_rpm.py" allows Shell injection in "name"

SilentGhost added the comment: This also seem to affect python 3, there os.popen implemented using subprocess.Popen, but that one is called with shell=True. So basically the string that's passed to os.popen should be quoted. The attached patch seem to be sufficient when applied on the default

[issue25627] distutils : file "bdist_rpm.py" allows Shell injection in "name

New submission from Bernd Dietzel: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1514183 File : /usr/lib/python2.7/distutils/command/bdist_rpm.py Line 358 : This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() : out =

[issue25627] distutils : file "bdist_rpm.py" allows Shell injection in "name"

Changes by Bernd Dietzel : -- title: distutils : file "bdist_rpm.py" allows Shell injection in "name -> distutils : file "bdist_rpm.py" allows Shell injection in "name" ___ Python tracker