[Python-Dev] PEP 501 Shell Command Examples
Nick Coghlan
ncoghlan at gmail.com
Sat Sep 5 13:59:48 CEST 2015
On 5 September 2015 at 12:36, Nikolaus Rath <Nikolaus at rath.org> wrote:
> Hi Nick,
>
> You are giving
>
> runcommand(sh(i"cat {filename}"))
>
> as an example that avoids injection attacks. While this is true, I think
> this is still a terrible anti-pattern[1] that should not be entombed in
> a PEP as a positive example.
>
> Could you consider removing it?
>
> (It doubly wastes resources by pointlessly calling a shell, and then by
> parsing & quoting the argument only for the shell to do the same in
> reverse).
Any reasonable implementation of that pattern wouldn't actually call a
system shell, it would invoke something like Julia's command system.
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Python-Dev
mailing list