Software Properties

Merge lp:~evfool/software-properties/lp1060192 into lp:software-properties

  1. lp1060192
  2. Merge into main
Proposed by Robert Roth
Status: Merged
Merged at revision: 830
Proposed branch: lp:~evfool/software-properties/lp1060192
Merge into: lp:software-properties
Diff against target: 14 lines (+2/-2)
1 file modified
softwareproperties/MirrorTest.py (+2/-2)
To merge this branch: bzr merge lp:~evfool/software-properties/lp1060192
Reviewer Review Type Date Requested Status
Ubuntu Core Development Team Pending
Review via email: mp+148210@code.launchpad.net

Commit message

- Do not use Shell=True unnecessarily in subprocess.Popen (bug #1060192)

Description of the change

As the python subprocess Popen documentation states: "the use of shell=True is strongly discouraged in cases where the command string is constructed from external input".
We construct the command to execute from mostly well-known parameters, unless the hostname of the mirror to test, which comes from /usr/share/python-apt/templates/ mirrors file, which can be (mostly) anything.
As bug #1060192 states, it does not really make a difference in this context whether we use shell=True or False, but maybe it is safer to use shell=False.

To post a comment you must log in.
Revision history for this message
Michael Vogt (mvo) wrote :

On Wed, Feb 13, 2013 at 03:24:18PM -0000, Robert Roth wrote:
> Robert Roth has proposed merging lp:~evfool/software-properties/lp1060192 into lp:software-properties.
>
> Commit message:
> - Do not use Shell=True unnecessarily in subprocess.Popen (bug #1060192)
 [..]

Great! Thanks for working on this!

> self.parent.report_action("Pinging %s..." % host)
> - commando = subprocess.Popen("ping -q -c 2 -W 1 -i 0.5 %s" % host,
> - shell=True, stdout=subprocess.PIPE,
> + commando = subprocess.Popen(["ping", "-q", "-c 2", "-W 1", "-i 0.5", host],
> + stdout=subprocess.PIPE,
> stderr=subprocess.STDOUT,
> universal_newlines=True).stdout
> while True:

You can also go one step further and do ["ping", "-c", "2", "-W",
"1"...].

But ping is fine with both. Thanks again for getting rid of the
shell=True.

Cheers,
 Michael

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'softwareproperties/MirrorTest.py'
2--- softwareproperties/MirrorTest.py 2012-07-05 13:32:44 +0000
3+++ softwareproperties/MirrorTest.py 2013-02-13 15:23:25 +0000
4@@ -41,8 +41,8 @@
5 host = mirror.hostname
6
7 self.parent.report_action("Pinging %s..." % host)
8- commando = subprocess.Popen("ping -q -c 2 -W 1 -i 0.5 %s" % host,
9- shell=True, stdout=subprocess.PIPE,
10+ commando = subprocess.Popen(["ping", "-q", "-c 2", "-W 1", "-i 0.5", host],
11+ stdout=subprocess.PIPE,
12 stderr=subprocess.STDOUT,
13 universal_newlines=True).stdout
14 while True:

Subscribers

People subscribed via source and target branches

to status/vote changes: