[Python-ideas] shutil.run (Was: shutil.runret and shutil.runout)

Tue Jun 5 08:00:34 CEST 2012

On Mon, Jun 4, 2012 at 2:47 AM, anatoly techtonik <techtonik at gmail.com>wrote:

> On Thu, May 24, 2012 at 6:24 AM, geremy condra <debatem1 at gmail.com> wrote:
> > On Wed, May 23, 2012 at 7:00 PM, Steven D'Aprano <steve at pearwood.info>
> > wrote:
> >>
> >> anatoly techtonik wrote:
> >>
> >>> I am all ears how to make shutil.run() more secure. Right now I must
> >>> confess that I don't even realize.how serious is this problems, so if
> >>> anyone can came up with a real-world example with explanation of
> >>> security concern that could be copied "as-is" into documentation, it
> >>> will surely be appreciated not only by me.
> >>
> >>
> >> Start here:
> >>
> >> http://cwe.mitre.org/top25/index.html
> >>
> >> Code injection attacks include two of the top three security
> >> vulnerabilities, over even buffer overflows.
> >>
> >> One sub-category of code injection:
> >>
> >> OS Command Injection
> >> http://cwe.mitre.org/data/definitions/78.html
>
> Great links. Thanks. Do they still too generic to be placed in docs?
>
> >
> > I talked about this in my pycon talk this year. It's easy to avoid and
> > disastrous to get wrong. Please don't do it this way.
>
> Sorry, don't have too much time to watch it right now. Any specific
> slides, ideas or exceprts?
>

The main idea was just that by combining a bit of awareness of common
security anti-patterns (like this one) with a good test regimen and some
script kiddie tools you can protect yourself from a lot of common
vulnerabilities without being a security guru. I demonstrated how that
process works on something fairly similar to this, but if you're interested
in more details I'm happy to blather on or dredge up my slides.

Geremy Condra

--
> anatoly t.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20120604/97de8c3b/attachment.html>