mirror of https://github.com/python/cpython
bpo-40932: Note security caveat of shlex.quote on Windows (GH-21502)
Added a note in the `subprocess` docs that recommend using `shlex.quote` without mentioning that this is only applicable to Unix. Also added a warning straight into the `shlex` docs since it only says "for simple syntaxes resembling that of the Unix shell" and says using `quote` plugs the security hole without mentioning this important caveat.
This commit is contained in:
parent
fa476fe132
commit
f9a8386e44
|
@ -61,6 +61,20 @@ The :mod:`shlex` module defines the following functions:
|
|||
string that can safely be used as one token in a shell command line, for
|
||||
cases where you cannot use a list.
|
||||
|
||||
.. _shlex-quote-warning:
|
||||
|
||||
.. warning::
|
||||
|
||||
The ``shlex`` module is **only designed for Unix shells**.
|
||||
|
||||
The :func:`quote` function is not guaranteed to be correct on non-POSIX
|
||||
compliant shells or shells from other operating systems such as Windows.
|
||||
Executing commands quoted by this module on such shells can open up the
|
||||
possibility of a command injection vulnerability.
|
||||
|
||||
Consider using functions that pass command arguments with lists such as
|
||||
:func:`subprocess.run` with ``shell=False``.
|
||||
|
||||
This idiom would be unsafe:
|
||||
|
||||
>>> filename = 'somefile; rm -rf ~'
|
||||
|
|
|
@ -718,11 +718,8 @@ If the shell is invoked explicitly, via ``shell=True``, it is the application's
|
|||
responsibility to ensure that all whitespace and metacharacters are
|
||||
quoted appropriately to avoid
|
||||
`shell injection <https://en.wikipedia.org/wiki/Shell_injection#Shell_injection>`_
|
||||
vulnerabilities.
|
||||
|
||||
When using ``shell=True``, the :func:`shlex.quote` function can be
|
||||
used to properly escape whitespace and shell metacharacters in strings
|
||||
that are going to be used to construct shell commands.
|
||||
vulnerabilities. On :ref:`some platforms <shlex-quote-warning>`, it is possible
|
||||
to use :func:`shlex.quote` for this escaping.
|
||||
|
||||
|
||||
Popen Objects
|
||||
|
|
Loading…
Reference in New Issue