何时对 Python 子进程模块使用 Shell=True [英] When to use Shell=True for Python subprocess module
问题描述
似乎每当我尝试使用 Python 的 subprocess 模块时,我发现我仍然不明白一些事情.目前,我正在尝试从 Python 模块中加入 3 个 mp4 文件.
当我尝试
z ='MP4Box -cat test_0.mp4 -cat test_1.mp4 -cat test_2.mp4 -new test_012d.mp4'subprocess.Popen(z,shell=True)一切正常.
当我尝试
z = ['MP4Box', '-cat test_0.mp4', '-cat test_1.mp4', '-cat test_2.mp4', '-new test_012d.mp4']subprocess.Popen(z,shell=False)我收到以下错误:
选项 -cat test_0.mp4 未知.请检查使用情况我认为对于 shell=False 我只需要提供一个列表,其中第一个元素是我想要运行的可执行文件,每个后续元素都是该可执行文件的参数.我的这种信念是错误的,还是有正确的方法来创建我想要使用的命令?
另外,在 subprocess.Popen 中使用 Shell=True 有什么规则吗?到目前为止,我真正知道的(?)是不要这样做 - 您可以将您的代码暴露给 Shell 注入攻击".为什么 Shell=False 避免了这个问题?使用Shell=True"是否有实际优势?
如果shell为True,指定的命令将通过shell执行.如果您主要使用 Python 来增强它在大多数系统 shell 上提供的控制流,并且仍然希望方便地访问其他 shell 功能,例如 shell 管道、文件名通配符、环境变量扩展和将 ~ 扩展到用户的主目录.
什么时候 shell=True 是危险的?
如果我们执行的 shell 命令可能包含来自不受信任来源的未经处理的输入,它会使程序容易受到shell 注入的攻击,这是一个严重的安全漏洞,可能导致任意命令执行.因此,在命令字符串是从外部输入构建的情况下,强烈不鼓励使用 shell=True
例如.(摘自 docs)
<预><代码>>>>从子进程导入调用>>>filename = input("你想显示什么文件?\n")你想显示什么文件?不存在的;rm -rf/#>>>call("cat " + filename, shell=True) # 哦.结局会很惨..It seems whenever I try to use Python's subprocess module, I find I still don't understand some things. Currently, I was trying to join 3 mp4 files from within a Python module.
When I tried
z ='MP4Box -cat test_0.mp4 -cat test_1.mp4 -cat test_2.mp4 -new test_012d.mp4'
subprocess.Popen(z,shell=True)
Everything worked.
When I tried
z = ['MP4Box', '-cat test_0.mp4', '-cat test_1.mp4', '-cat test_2.mp4', '-new test_012d.mp4']
subprocess.Popen(z,shell=False)
I got the following error:
Option -cat test_0.mp4 unknown. Please check usage
I thought that for shell=False I just needed to supply a list where the first element was the executable I wanted to run and each succeeding element was an argument to that executable. Am I mistaken in this belief, or is there a correct way to create the command I wanted to use?
Also, are there any rules for using Shell=True in subprocess.Popen? So far, all I really know(?) is "don't do it - you can expose your code to Shell injection attacks". Why does Shell=False avoid this problem? Is there ever an actual advantage to using 'Shell=True`?
If shell is True, the specified command will be executed through the shell. This can be useful if you are using Python primarily for the enhanced control flow it offers over most system shells and still want convenient access to other shell features such as shell pipes, filename wildcards, environment variable expansion, and expansion of ~ to a user’s home directory.
When shell=True is dangerous?
If we execute shell commands that might include unsanitized input from an untrusted source, it will make a program vulnerable to shell injection, a serious security flaw which can result in arbitrary command execution. For this reason, the use of shell=True is strongly discouraged in cases where the command string is constructed from external input
Eg. (Taken from docs)
>>> from subprocess import call
>>> filename = input("What file would you like to display?\n")
What file would you like to display?
non_existent; rm -rf / #
>>> call("cat " + filename, shell=True) # Uh-oh. This will end badly..
这篇关于何时对 Python 子进程模块使用 Shell=True的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
