The usual recommendation is not to use it if an outside process or person can modify the call’s arguments. For this reason, the use of shell=True is strongly discouraged in cases where the command string is constructed from external input. Here is the Python documentation’s official warning on the matter:Įxecuting shell commands that incorporate unsanitized input from an untrusted source makes a program vulnerable to shell injection, a serious security flaw which can result in arbitrary command execution. This does add a level of abstraction to the process and it raises the possibility of security issues. You can also execute the program using the operating system’s shell. You will notice that the return code was zero, so everything completed successfully. So in this example, we are executing a ping against Yahoo’s website. Anything else in the list are arguments that we want to pass to that program. The first item in the list is the program we want to call. You will notice that in this example we are passing a list of arguments.
0 Comments
Leave a Reply. |