diff options
| author | Ammar Askar <ammar@ammaraskar.com> | 2020-11-11 07:29:56 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-11-11 07:29:56 (GMT) |
| commit | f9a8386e44a695551a1e54e709969e90e9b96bc4 (patch) | |
| tree | 8388f4572c7ff038dd4dab22b5231cbb61d5b87c /Doc/library/subprocess.rst | |
| parent | fa476fe13255d0360f18528e864540d927560f66 (diff) | |
| download | cpython-f9a8386e44a695551a1e54e709969e90e9b96bc4.zip cpython-f9a8386e44a695551a1e54e709969e90e9b96bc4.tar.gz cpython-f9a8386e44a695551a1e54e709969e90e9b96bc4.tar.bz2 | |
bpo-40932: Note security caveat of shlex.quote on Windows (GH-21502)
Added a note in the `subprocess` docs that recommend using `shlex.quote` without mentioning that this is only applicable to Unix.
Also added a warning straight into the `shlex` docs since it only says "for simple syntaxes resembling that of the Unix shell" and says using `quote` plugs the security hole without mentioning this important caveat.
Diffstat (limited to 'Doc/library/subprocess.rst')
| -rw-r--r-- | Doc/library/subprocess.rst | 7 |
1 files changed, 2 insertions, 5 deletions
diff --git a/Doc/library/subprocess.rst b/Doc/library/subprocess.rst index 85d0f46..292f8be 100644 --- a/Doc/library/subprocess.rst +++ b/Doc/library/subprocess.rst @@ -718,11 +718,8 @@ If the shell is invoked explicitly, via ``shell=True``, it is the application's responsibility to ensure that all whitespace and metacharacters are quoted appropriately to avoid `shell injection <https://en.wikipedia.org/wiki/Shell_injection#Shell_injection>`_ -vulnerabilities. - -When using ``shell=True``, the :func:`shlex.quote` function can be -used to properly escape whitespace and shell metacharacters in strings -that are going to be used to construct shell commands. +vulnerabilities. On :ref:`some platforms <shlex-quote-warning>`, it is possible +to use :func:`shlex.quote` for this escaping. Popen Objects |