Message 250074 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

In-reply-to
Author	steve.dower
Recipients	Arfrever, PedanticHacker, devplayer, eryksun, jbmilam, joncwchao, python-dev, r.david.murray, steve.dower
Date	2015年09月07日.05:49:52
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1441604994.88.0.396817085759.issue8232@psf.upfronthosting.co.za>

Content
Here's an alternate patch I proposed on #25005 before we decided to back out the change. The problem is that subprocess.call() with shell=True is unsafe because we don't escape shell operators (such as &, <, >, \|). The fix in this patch is to allow passing arguments to os.startfile so we can use that instead. Arguments do not need to be escaped in this case.

Content

Here's an alternate patch I proposed on #25005 before we decided to back out the change.
The problem is that subprocess.call() with shell=True is unsafe because we don't escape shell operators (such as &, <, >, |).
The fix in this patch is to allow passing arguments to os.startfile so we can use that instead. Arguments do not need to be escaped in this case.

History
Date	User	Action	Args
2015年09月07日 05:49:55	steve.dower	set	recipients: + steve.dower, Arfrever, r.david.murray, joncwchao, devplayer, python-dev, eryksun, jbmilam, PedanticHacker
2015年09月07日 05:49:54	steve.dower	set	messageid: <1441604994.88.0.396817085759.issue8232@psf.upfronthosting.co.za>
2015年09月07日 05:49:54	steve.dower	link	issue8232 messages
2015年09月07日 05:49:54	steve.dower	create

homepage