Do not use shell=True option for subprocess #9
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The use of `shell=True` in subprocess is highly discouraged and
can have unexpected (in the best of the scenarios) or even
disastrous consequences.
When using `shell=True` in fact, the string is directly passed
to the shell, so what happens when you use operators such as:
`;`, `!`, `>`, `>>`, `<`, `<<`, `&`, `&&`, `|`, `||` ?
These are directly processed by the shell, and since these are common
symbols in a programming language it may lead to really bad
consequences. For example try to use this:
open a file in php | wc -l
The output is `11`, because there are 11 lines in the `howdoi` output.
use the operator > in c
This will create a file `in` since `>` redirects the output of `howdoi
use the operator` to the fine `in`.
This can lead to really bad consequences. I hope nobody ever looked for
how to use `|` to `rm -rf`..
`subprocess.Popen` takes a list of strings as input (the `argv`), so
you just need to remove `shell=True` and use `['howdoi', query]` as
argument and you are on the safe side!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The use of
shell=Truein subprocess is highly discouraged and can have unexpected (in the best of the scenarios) or even disastrous consequences.When using
shell=Truein fact, the string is directly passed to the shell, so what happens when you use operators such as:;,!,>,>>,<,<<,&,&&,|,||?These are directly processed by the shell, and since these are common symbols in a programming language it may lead to really bad consequences. For example try to use this:
The output is
11, because there are 11 lines in thehowdoioutput.This will create a file
insince>redirects the output ofhowdoi use the operatorto the finein.This can lead to really bad consequences. I hope nobody ever looked for how to use
|torm -rf..subprocess.Popentakes a list of strings as input (theargv), so you just need to removeshell=Trueand use['howdoi', query]as argument and you are on the safe side!