[issue25627] distutils : file "bdist_rpm.py" allows Shell injection in "name"
SilentGhost
report at bugs.python.org
Sat Nov 14 17:04:18 EST 2015
SilentGhost added the comment:
This also seem to affect python 3, there os.popen implemented using subprocess.Popen, but that one is called with shell=True. So basically the string that's passed to os.popen should be quoted. The attached patch seem to be sufficient when applied on the default branch.
----------
keywords: +patch
nosy: +SilentGhost
Added file: http://bugs.python.org/file41044/issue25627.diff
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue25627>
_______________________________________
More information about the Python-bugs-list
mailing list