Message 123232 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

In-reply-to
Author	vstinner
Recipients	brian.curtin, eric.araujo, jldm, r.david.murray, vstinner
Date	2010年12月03日.12:35:34
SpamBayes Score	0.007628593
Marked as misclassified	No
Message-id	<1291379736.12.0.603595530618.issue10197@psf.upfronthosting.co.za>

Content
-def getstatusoutput(cmd): +def getstatusoutput(cmd, shell=True): shell=True is dangerous, it can lead to shell command injection. I would prefer to set its default value to False. The function already exists in Python 3.1, but it is not used in Python source code. Is it too late to fix its API to avoid security vulnerabilities?

Content

-def getstatusoutput(cmd):
+def getstatusoutput(cmd, shell=True):
shell=True is dangerous, it can lead to shell command injection. I would prefer to set its default value to False. The function already exists in Python 3.1, but it is not used in Python source code. Is it too late to fix its API to avoid security vulnerabilities?

History
Date	User	Action	Args
2010年12月03日 12:35:36	vstinner	set	recipients: + vstinner, eric.araujo, r.david.murray, brian.curtin, jldm
2010年12月03日 12:35:36	vstinner	set	messageid: <1291379736.12.0.603595530618.issue10197@psf.upfronthosting.co.za>
2010年12月03日 12:35:34	vstinner	link	issue10197 messages
2010年12月03日 12:35:34	vstinner	create

homepage