FAQ

On 5 September 2015 at 12:36, Nikolaus Rath wrote:
Hi Nick,

You are giving

runcommand(sh(i"cat {filename}"))

as an example that avoids injection attacks. While this is true, I think
this is still a terrible anti-pattern[1] that should not be entombed in
a PEP as a positive example.

Could you consider removing it?

(It doubly wastes resources by pointlessly calling a shell, and then by
parsing & quoting the argument only for the shell to do the same in
reverse).

Any reasonable implementation of that pattern wouldn't actually call a
system shell, it would invoke something like Julia's command system.


Cheers,
Nick.


--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia

Search Discussions

Discussion Posts

Previous

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 2 of 3 | next ›
Discussion Overview
grouppython-dev @
categoriespython
postedSep 5, '15 at 2:36a
activeSep 5, '15 at 5:54p
posts3
users2
websitepython.org

2 users in discussion

Nikolaus Rath: 2 posts Nick Coghlan: 1 post

People

Translate

site design / logo © 2017 Grokbase