[issue7950] subprocess.Popen documentation should contain a good warning about the security implications when using shell=True

2010-11-11 Thread Éric Araujo 

Éric Araujo mer...@netwok.org added the comment:

Looks good to me, except the last two lines which I would reword or just remove.

I wonder how many people use shell=True merely for the convenience of passing a 
string instead of a list.  What do you think about adding a mention of 
str.split and shlex.split?

--
nosy: +eric.araujo
type: security - behavior
versions:  -Python 2.6

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue7950
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue7950] subprocess.Popen documentation should contain a good warning about the security implications when using shell=True

2010-11-11 Thread Chris Rebert 

Chris Rebert pyb...@rebertia.com added the comment:

the above Note mentioned in those last two lines demonstrates shlex.split() 
and correct tokenization.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue7950
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue7950] subprocess.Popen documentation should contain a good warning about the security implications when using shell=True

2010-11-11 Thread R. David Murray 

R. David Murray rdmur...@bitdance.com added the comment:

Committed (as a warning) in r86419.  Thanks, Chris.

--
stage: patch review - committed/rejected
status: open - closed

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue7950
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue7950] subprocess.Popen documentation should contain a good warning about the security implications when using shell=True

2010-08-28 Thread Chris Rebert 

Chris Rebert pyb...@rebertia.com added the comment:

Adjusted patch per R. David's comment.

I obviously think it should be a full red warning box (that's how it is in my 
patch), but my opinion clearly isn't an outside one.

Also, Ping/Bump on finally getting this applied.

--
Added file: http://bugs.python.org/file18670/subprocess.rst.diff

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue7950
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue7950] subprocess.Popen documentation should contain a good warning about the security implications when using shell=True

2010-08-10 Thread R. David Murray 

R. David Murray rdmur...@bitdance.com added the comment:

Chris, thank you for the patch, sorry I didn't acknowledge it earlier.  I think 
the core of the patch is good, though I will probably drop the text starting 
from To safely use... when I get time to apply it.  I will also add a note 
along the lines of this applies also to Windows, although the details of the 
exploits differ.

I would like input from others as to whether this should indeed be a red 
warning box, or is adequate as a note.  We try to minimize the number of red 
boxes, but this may well be an appropriate case for one (I'm leaning that way 
myself).

--
assignee: georg.brandl - d...@python
nosy: +d...@python
stage: needs patch - patch review

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue7950
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue7950] subprocess.Popen documentation should contain a good warning about the security implications when using shell=True

2010-07-25 Thread Chris Rebert 

Changes by Chris Rebert pyb...@rebertia.com:


Added file: http://bugs.python.org/file18209/subprocess.rst.diff

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue7950
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue7950] subprocess.Popen documentation should contain a good warning about the security implications when using shell=True

2010-07-25 Thread Chris Rebert 

Chris Rebert pyb...@rebertia.com added the comment:

My apologies for the extra email...

--
Added file: http://bugs.python.org/file18210/subprocess.rst.diff

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue7950
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue7950] subprocess.Popen documentation should contain a good warning about the security implications when using shell=True

2010-07-25 Thread Chris Rebert 

Changes by Chris Rebert pyb...@rebertia.com:


Removed file: http://bugs.python.org/file18209/subprocess.rst.diff

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue7950
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue7950] subprocess.Popen documentation should contain a good warning about the security implications when using shell=True

2010-07-23 Thread Chris Rebert 

Chris Rebert pyb...@rebertia.com added the comment:

I found some extra time. Here's an initial suggested patch against py3k head.

Disclaimer: I have no special expertise in computer security beyond having read 
Secure Coding: Principles and Practices a while back.

--
keywords: +patch
Added file: http://bugs.python.org/file18136/subprocess.rst.diff

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue7950
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue7950] subprocess.Popen documentation should contain a good warning about the security implications when using shell=True

2010-07-23 Thread Terry J. Reedy 

Changes by Terry J. Reedy tjre...@udel.edu:


--
nosy:  -tjreedy

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue7950
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue7950] subprocess.Popen documentation should contain a good warning about the security implications when using shell=True

2010-07-21 Thread R. David Murray 

R. David Murray rdmur...@bitdance.com added the comment:

Since the other bug was about a different topic and was closed as fixed, I'd 
rather have this issue open.  What I've done instead is merge the nosy list 
from the other bug...anyone who is not interested can of course opt out of this 
one.

Christoph, would you care to suggest a patch?

--
nosy: +benjamin.peterson, brian.curtin, cvrebert, ncoghlan, pitrou, 
r.david.murray, tjreedy
resolution: duplicate - accepted
stage: committed/rejected - needs patch
status: closed - open
superseder: patch to subprocess docs to better explain Popen's 'args' argument 
- 
versions: +Python 2.7, Python 3.2

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue7950
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue7950] subprocess.Popen documentation should contain a good warning about the security implications when using shell=True

2010-07-21 Thread Chris Rebert 

Chris Rebert pyb...@rebertia.com added the comment:

I'm busy with finding an apartment and taking exams for the next week-or-so, 
but after that I'll try and suggest a patch. If anyone wants to have a crack at 
it between now and then, don't let me stop you.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue7950
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue7950] subprocess.Popen documentation should contain a good warning about the security implications when using shell=True

2010-02-18 Thread Christoph Neuroth 

Christoph Neuroth christoph.neur...@googlemail.com added the comment:

You're right, that has been improved in regard to how you can do it instead. 
However, I still think it lacks to mention the security risk involved - compare 
this to e.g. os.tempnam(), which has a warning in a red box.

--
status: closed - open

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue7950
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue7950] subprocess.Popen documentation should contain a good warning about the security implications when using shell=True

2010-02-18 Thread Eric Smith 

Eric Smith e...@trueblade.com added the comment:

If you want to generate some more discussion, I suggest you close this issue 
and reopen the other one, since that has more people on the nosy list.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue7950
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue7950] subprocess.Popen documentation should contain a good warning about the security implications when using shell=True

2010-02-18 Thread Christoph Neuroth 

Christoph Neuroth christoph.neur...@googlemail.com added the comment:

Good idea :)

--
status: open - closed

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue7950
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue7950] subprocess.Popen documentation should contain a good warning about the security implications when using shell=True

2010-02-17 Thread Christoph Neuroth 

New submission from Christoph Neuroth christoph.neur...@googlemail.com:

Currently, the documentation of subprocess only says Calling the program 
through the shell is usually not required.. IMHO there should be a real 
warning (like, in its own box with a couple of big exclamation marks ;)) about 
the security implications of using this and detailed instructions of how to 
avoid it. People tend to use this functionality just because they know how to 
use the shell and its just so convenient - and by doing so they create huge 
security holes in their applications.

--
assignee: georg.brandl
components: Documentation
messages: 99465
nosy: christoph.neuroth, georg.brandl
severity: normal
status: open
title: subprocess.Popen documentation should contain a good warning about the 
security implications when using shell=True
type: security
versions: Python 2.6, Python 3.1

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue7950
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue7950] subprocess.Popen documentation should contain a good warning about the security implications when using shell=True

2010-02-17 Thread Eric Smith 

Eric Smith e...@trueblade.com added the comment:

This was just discussed in issue 6760.

--
nosy: +eric.smith
resolution:  - duplicate
stage:  - committed/rejected
status: open - closed
superseder:  - patch to subprocess docs to better explain Popen's 'args' 
argument

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue7950
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com