bpo-40932: Note security caveat of shlex.quote on Windows (GH-21502) · python/cpython@f9a8386 (original) (raw)

2 files changed

lines changed

Original file line number	Diff line number	Diff line change
@@ -61,6 +61,20 @@ The :mod:`shlex` module defines the following functions:
61	61	string that can safely be used as one token in a shell command line, for
62	62	cases where you cannot use a list.
63	63
	64	+ .. _shlex-quote-warning:
	65	+
	66	+ .. warning::
	67	+
	68	+ The ``shlex`` module is only designed for Unix shells.
	69	+
	70	+ The :func:`quote` function is not guaranteed to be correct on non-POSIX
	71	+ compliant shells or shells from other operating systems such as Windows.
	72	+ Executing commands quoted by this module on such shells can open up the
	73	+ possibility of a command injection vulnerability.
	74	+
	75	+ Consider using functions that pass command arguments with lists such as
	76	+:func:`subprocess.run` with ``shell=False``.
	77	+
64	78	This idiom would be unsafe:
65	79
66	80	>>> filename = 'somefile; rm -rf ~'

Original file line number	Diff line number	Diff line change
@@ -718,11 +718,8 @@ If the shell is invoked explicitly, via ``shell=True``, it is the application's
718	718	responsibility to ensure that all whitespace and metacharacters are
719	719	quoted appropriately to avoid
720	720	`shell injection https://en.wikipedia.org/wiki/Shell\_injection#Shell\_injection\`_
721		-vulnerabilities.
722		-
723		-When using ``shell=True``, the :func:`shlex.quote` function can be
724		-used to properly escape whitespace and shell metacharacters in strings
725		-that are going to be used to construct shell commands.
	721	+vulnerabilities. On :ref:`some platforms <shlex-quote-warning>`, it is possible
	722	+to use :func:`shlex.quote` for this escaping.
726	723
727	724
728	725	Popen Objects