Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use shell=True in subprocess.check_output #30

Open
juanesarango opened this issue Jun 24, 2021 · 0 comments
Open

use shell=True in subprocess.check_output #30

juanesarango opened this issue Jun 24, 2021 · 0 comments

Comments

@juanesarango
Copy link
Contributor

Apparently there are some security issues by using shell=True. But without having it, we also lose a lot of features, like piping, wildcards (*), etc.

Example:

> !echo 'It Works' > tmp
> !cat tmp | xargs echo
It Works

> subprocess.check_output(['cat', 'tmp', '|', 'xargs', 'echo'])
CalledProcessError: Command '['cat', 'tmp', '|', 'xargs', 'echo']' returned non-zero exit status 1.

> subprocess.check_output('cat tmp | xargs echo', shell = True)
b'It Works\n'

A workaround can be done by using bash to run a script or command

> subprocess.check_output(['bash', '-c', 'cat tmp | xargs echo'])
b'It Works\n'

The question is if using bash -c <command> or bash <script> it's the same as shell=True. If it is, if we should add support as a param option.

Some good resource for this: https://stackoverflow.com/a/51950538/3949081

cc: @mflevine

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant