R. David Murray added the comment:
Since setup.py can run arbitrary python code, it is pointless to worry about
this from a security perspective. The change is otherwise not a bad idea,
though, since it avoids filename quoting problems. Is there any chance this
would break existing setup.py
SilentGhost added the comment:
This also seem to affect python 3, there os.popen implemented using
subprocess.Popen, but that one is called with shell=True. So basically the
string that's passed to os.popen should be quoted. The attached patch seem to
be sufficient when applied on the default
New submission from Bernd Dietzel:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1514183
File :
/usr/lib/python2.7/distutils/command/bdist_rpm.py
Line 358 :
This line in the code uses the depreached os.popen command, should be replaced
with subprocess.Popen() :
out =
Changes by Bernd Dietzel :
--
title: distutils : file "bdist_rpm.py" allows Shell injection in "name ->
distutils : file "bdist_rpm.py" allows Shell injection in "name"
___
Python tracker