diff options
| author | Ammar Askar <ammar@ammaraskar.com> | 2020-11-11 07:29:56 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-11-11 07:29:56 (GMT) |
| commit | f9a8386e44a695551a1e54e709969e90e9b96bc4 (patch) | |
| tree | 8388f4572c7ff038dd4dab22b5231cbb61d5b87c /Doc | |
| parent | fa476fe13255d0360f18528e864540d927560f66 (diff) | |
| download | cpython-f9a8386e44a695551a1e54e709969e90e9b96bc4.zip cpython-f9a8386e44a695551a1e54e709969e90e9b96bc4.tar.gz cpython-f9a8386e44a695551a1e54e709969e90e9b96bc4.tar.bz2 | |
bpo-40932: Note security caveat of shlex.quote on Windows (GH-21502)
Added a note in the `subprocess` docs that recommend using `shlex.quote` without mentioning that this is only applicable to Unix.
Also added a warning straight into the `shlex` docs since it only says "for simple syntaxes resembling that of the Unix shell" and says using `quote` plugs the security hole without mentioning this important caveat.
Diffstat (limited to 'Doc')
| -rw-r--r-- | Doc/library/shlex.rst | 14 | ||||
| -rw-r--r-- | Doc/library/subprocess.rst | 7 |
2 files changed, 16 insertions, 5 deletions
diff --git a/Doc/library/shlex.rst b/Doc/library/shlex.rst index 7f7f0c7..aab6a54 100644 --- a/Doc/library/shlex.rst +++ b/Doc/library/shlex.rst @@ -61,6 +61,20 @@ The :mod:`shlex` module defines the following functions: string that can safely be used as one token in a shell command line, for cases where you cannot use a list. + .. _shlex-quote-warning: + + .. warning:: + + The ``shlex`` module is **only designed for Unix shells**. + + The :func:`quote` function is not guaranteed to be correct on non-POSIX + compliant shells or shells from other operating systems such as Windows. + Executing commands quoted by this module on such shells can open up the + possibility of a command injection vulnerability. + + Consider using functions that pass command arguments with lists such as + :func:`subprocess.run` with ``shell=False``. + This idiom would be unsafe: >>> filename = 'somefile; rm -rf ~' diff --git a/Doc/library/subprocess.rst b/Doc/library/subprocess.rst index 85d0f46..292f8be 100644 --- a/Doc/library/subprocess.rst +++ b/Doc/library/subprocess.rst @@ -718,11 +718,8 @@ If the shell is invoked explicitly, via ``shell=True``, it is the application's responsibility to ensure that all whitespace and metacharacters are quoted appropriately to avoid `shell injection <https://en.wikipedia.org/wiki/Shell_injection#Shell_injection>`_ -vulnerabilities. - -When using ``shell=True``, the :func:`shlex.quote` function can be -used to properly escape whitespace and shell metacharacters in strings -that are going to be used to construct shell commands. +vulnerabilities. On :ref:`some platforms <shlex-quote-warning>`, it is possible +to use :func:`shlex.quote` for this escaping. Popen Objects |