Developing a simple application, some code analysis tools gave me the following warning:
Consider possible security implications associated with call module.
For this particular code snippet: from subprocess import call
, and below also in this call ( '...', shell = True )
snippet, I tried with shell = false
and it did not work, the call of this method in the program is done with argument of type string and not list, but in this case I tested it with a list of arguments as well.
As far as I know about import, scope of symbols and performance, this would be the best way to import since I'll be using only this function, am I right?
Reading this excerpt from the documentation:
If passing a single string, either shell must be True (see below) or else the string must simply name the program to be executed without specifying any arguments.
I realized that even though the use is insecure, the implementation is correct, but reading a little more only gave me more doubts, 'If the shell is True, the specified command will be executed through the shell', and if it is not equal the true
... where will it run?
Ps: 'If args is a string, the interpretation is platform-dependent and described below. '(Is this about Popen
, same goes for call
?)
Is there any way to stop using the call
method with argument of type string
safe? (Or I'll have to use Popen
which I believe to be basically the same thing but with more arguments - I'm asking in part out of curiosity)