New submission from Stephen Farris <stephen.far...@jhuapl.edu>:
The subprocess docs state: "When using shell=True, the shlex.quote() function
can be used to properly escape whitespace and shell metacharacters in strings
that are going to be used to construct shell commands." While this is true on
Unix, it is not true on Windows. On Windows it is easy to create scenarios
where shell injection still exists despite using shlex.quote properly (e.g.
subprocess.run(shlex.quote("'&calc '"), shell=True) launches the Windows
calculator, which it wouldn't do if shlex.quote was able to prevent shell
injection on Windows). While the shlex docs state that shlex is for Unix, the
subprocess docs imply that shlex.quote will work on Windows too, possibly
leading some developers to erroneously use shlex.quote on Windows to try to
prevent shell injection. Recommend: 1) qualifying the above section in the
subprocess docs to make it clear that this only works on Unix, and 2) updating
the shlex docs with warnings that shlex.quote in particular is not for use on
Window
s.
----------
assignee: docs@python
components: Documentation
messages: 371140
nosy: Stephen Farris, docs@python
priority: normal
severity: normal
status: open
title: subprocess docs don't qualify the instruction to use shlex.quote by OS
versions: Python 3.8
_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue40932>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
