[issue42641] Deprecate os.popen() function
Serhiy Storchaka
report at bugs.python.org
Tue Dec 15 02:45:48 EST 2020
Serhiy Storchaka <storchaka+cpython at gmail.com> added the comment:
Searching os.popen in code on GitHub gives around 4.5 millions of results. Seems that most of them are with literal strings which are very specific to the program, like
check2 = os.popen('grep "net\.ipv4\.ip_forward" /etc/sysctl.conf /etc/sysctl.d/*').read()
They are not vulnerable to shell injection and other drawbacks of os.popen do not matter in that cases. Most of that code looks like specialized scripts rather than parts of general libraries.
Yes, some examples can be vulnerable to shell injection (although in they use cases, with restricted data and environment, they can be pretty safe). But deprecating os.popen can break millions of scripts and cause more harm than prevent bugs.
It may be better strategy to document drawbacks and limitations of os.popen and advertise alternatives.
----------
nosy: +serhiy.storchaka
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue42641>
_______________________________________
More information about the Python-bugs-list
mailing list