From: R. David Murray <rdmurray@bitdance.com>
Date: Fri, 12 Nov 2010 00:35:31 +0000 (+0000)
Subject: #7950: add warning about security implications of shell=True to subprocess docs
X-Git-Tag: v3.2a4~20
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c7399d0a0faf82e2acf8dc15178364b5b8a5d8df;p=python

#7950: add warning about security implications of shell=True to subprocess docs

Patch by Chris Rebert.
---

diff --git a/Doc/library/subprocess.rst b/Doc/library/subprocess.rst
index b3739d6770..8f9b9eae33 100644
--- a/Doc/library/subprocess.rst
+++ b/Doc/library/subprocess.rst
@@ -76,6 +76,24 @@ This module defines one class called :class:`Popen`:
 
       Popen(['/bin/sh', '-c', args[0], args[1], ...])
 
+   .. warning::
+
+      Executing shell commands that incorporate unsanitized input from an
+      untrusted source makes a program vulnerable to `shell injection
+      <http://en.wikipedia.org/wiki/Shell_injection#Shell_injection>`_,
+      a serious security flaw which can result in arbitrary command execution.
+      For this reason, the use of *shell=True* is **strongly discouraged** in cases
+      where the command string is constructed from external input::
+
+         >>> from subprocess import call
+         >>> filename = input("What file would you like to display?\n")
+         What file would you like to display?
+         non_existent; rm -rf / #
+         >>> call("cat " + filename, shell=True) # Uh-oh. This will end badly...
+
+      *shell=False* does not suffer from this vulnerability; the above Note may be
+      helpful in getting code using *shell=False* to work.
+
    On Windows: the :class:`Popen` class uses CreateProcess() to execute the child
    program, which operates on strings.  If *args* is a sequence, it will be
    converted to a string using the :meth:`list2cmdline` method.  Please note that