[Python-Dev] PEP 501 Shell Command Examples (original) (raw)

Nikolaus Rath Nikolaus at rath.org
Sat Sep 5 04:36:55 CEST 2015

• Previous message (by thread): [Python-Dev] PEP 498: Naming
• Next message (by thread): [Python-Dev] PEP 501 Shell Command Examples
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Nick,

You are giving

runcommand(sh(i"cat {filename}"))

as an example that avoids injection attacks. While this is true, I think this is still a terrible anti-pattern[1] that should not be entombed in a PEP as a positive example.

Could you consider removing it?

(It doubly wastes resources by pointlessly calling a shell, and then by parsing & quoting the argument only for the shell to do the same in reverse).

Best, -Nikolaus

GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

         »Time flies like an arrow, fruit flies like a Banana.«

• Previous message (by thread): [Python-Dev] PEP 498: Naming
• Next message (by thread): [Python-Dev] PEP 501 Shell Command Examples
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list