[Python-Dev] ctypes compatibility with 2.3
Martin Panter
vadmium+py at gmail.com
Tue May 10 04:17:58 EDT 2016
I am working on <https://bugs.python.org/issue22636>, to fix shell
injection problems with ctypes.util.find_library(). The proposal for
Python 3 is to change os.popen(shell-script) calls to use
subprocess.Popen().
However the Python 2.7 version of the module has a comment which says
“This file should be kept compatible with Python 2.3, see PEP 291.”
Looking at <https://www.python.org/dev/peps/pep-0291/>, it is not
clear why we have to maintain this compatibility. My best guess is
that there may be an external ctypes package that people want(ed) to
keep compatible with 2.3, and also keep synchronized with 2.7.
I would like to lift this restriction to at least 2.4, because that is
when the “subprocess” module was added. I notice that there is already
code that relies on the list.sort(key=...) feature, which was added in
2.4. Ideally I would prefer to drop the restriction and only require
2.7 compatibility. Would either of these options be a problem?
If it is a problem, I think it is still possible to avoid the shell by
passing a sequence of program arguments to os.popen(). But I prefer
not to do this, because the function is marked as deprecated, and the
code would be substantially different to Python 3.
-Martin
More information about the Python-Dev
mailing list