[Python-checkins] cpython (2.7): Backport from 3.2: Fix placement of shell=True warning in subprocess.Popen()

chris.jerdonek python-checkins at python.org
Thu Oct 11 08:01:04 CEST 2012 

http://hg.python.org/cpython/rev/bbdb90bf2692
changeset:   79663:bbdb90bf2692
branch:      2.7
parent:      79659:f051e37ac11d
user:        Chris Jerdonek <chris.jerdonek at gmail.com>
date:        Wed Oct 10 22:58:57 2012 -0700
summary:
  Backport from 3.2: Fix placement of shell=True warning in subprocess.Popen() docs.

files:
  Doc/library/subprocess.rst |  19 ++++++++-----------
  1 files changed, 8 insertions(+), 11 deletions(-)


diff --git a/Doc/library/subprocess.rst b/Doc/library/subprocess.rst
--- a/Doc/library/subprocess.rst
+++ b/Doc/library/subprocess.rst
@@ -243,8 +243,8 @@
       untrusted source makes a program vulnerable to `shell injection
       <http://en.wikipedia.org/wiki/Shell_injection#Shell_injection>`_,
       a serious security flaw which can result in arbitrary command execution.
-      For this reason, the use of *shell=True* is **strongly discouraged** in cases
-      where the command string is constructed from external input::
+      For this reason, the use of ``shell=True`` is **strongly discouraged**
+      in cases where the command string is constructed from external input::
 
          >>> from subprocess import call
          >>> filename = input("What file would you like to display?\n")
@@ -334,6 +334,12 @@
    into the shell (e.g. :command:`dir` or :command:`copy`).  You do not need
    ``shell=True`` to run a batch file or console-based executable.
 
+   .. warning::
+
+      Passing ``shell=True`` can be a security hazard if combined with
+      untrusted input.  See the warning under :ref:`frequently-used-arguments`
+      for details.
+
    *bufsize*, if given, has the same meaning as the corresponding argument to the
    built-in open() function: :const:`0` means unbuffered, :const:`1` means line
    buffered, any other positive value means use a buffer of (approximately) that
@@ -375,15 +381,6 @@
    child process.  Note that on Windows, you cannot set *close_fds* to true and
    also redirect the standard handles by setting *stdin*, *stdout* or *stderr*.
 
-   If *shell* is :const:`True`, the specified command will be executed through the
-   shell.
-
-   .. warning::
-
-      Enabling this option can be a security hazard if combined with untrusted
-      input. See the warning under :ref:`frequently-used-arguments`
-      for details.
-
    If *cwd* is not ``None``, the child's current directory will be changed to *cwd*
    before it is executed.  Note that this directory is not considered when
    searching the executable, so you can't specify the program's path relative to

-- 
Repository URL: http://hg.python.org/cpython

More information about the Python-checkins mailing list