Steven D'Aprano <st...@pearwood.info>: > Perhaps I'm missing something, but aren't there easier ways to attack > os.system than the bash env vulnerability?
The main concern is the cases where you provide a service accessible through an SSH login and try to sandbox the client with limited functionality. SSH passes some environment variables on to the service which can then be used as an XSS vector. For example, if you wrote an SVN server's SSH front end with Python and used subprocess.Popen(shell=True) to execute the SVN operations, you could become a victim. Marko _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
