On 01Sep2014 14:33, Earl Lapus <earl.la...@gmail.com> wrote:
On Mon, Sep 1, 2014 at 1:39 PM, Chris Angelico <ros...@gmail.com> wrote:
Glad it's working! But please, don't just take my word for it and make
a black-box change to your code. When you invoke subprocesses, be sure
you understand what's going on, and when shell=True is appropriate and
when shell=False is appropriate. The docs should be fairly clear on
this. If you get this sort of thing wrong, you'll get weird errors
like this (if you're lucky), or open yourself up to shell injection
vulnerabilities (if you're not).
The command and arguments that will be passed to check_output will not
depend on user input. So, the chances of malicious commands from being
executed would be low (right?).
Not really. If the arguments are coming in from the command line, someone (a
user, even if that user is the programmer) typed them. Even if not malicious,
they can still be mistaken. Or just unfortunate.
You should always want to do exactly what you're asked. If you misuse
shell=True when the user is expecting shell=False (i.e. "just do what I
said!"), then your program will not carry out the user's intent. If it does not
fail outright, it will presumably do the _wrong_ thing.
Cheers,
Cameron Simpson <c...@zip.com.au>
Music journalism: People who can't write interviewing people who can't talk
for people who can't read. - Frank Zappa
--
https://mail.python.org/mailman/listinfo/python-list
