On 5 September 2015 at 12:36, Nikolaus Rath <Nikolaus at rath.org> wrote:
> Hi Nick,
>
> You are giving
>
> runcommand(sh(i"cat {filename}"))
>
> as an example that avoids injection attacks. While this is true, I think
> this is still a terrible anti-pattern[1] that should not be entombed in
> a PEP as a positive example.
>
> Could you consider removing it?
>
> (It doubly wastes resources by pointlessly calling a shell, and then by
> parsing & quoting the argument only for the shell to do the same in
> reverse).
Any reasonable implementation of that pattern wouldn't actually call a
system shell, it would invoke something like Julia's command system.
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4