Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't use Popen(..., shell=True). #11624

Merged
merged 1 commit into from Jul 11, 2018
Merged

Don't use Popen(..., shell=True). #11624

merged 1 commit into from Jul 11, 2018

Conversation

QuLogic
Copy link
Member

@QuLogic QuLogic commented Jul 10, 2018

PR Summary

This is something that bandit complains about with "high" severity, though I don't think it's actually all that severe in this case.

PR Checklist

  • Has Pytest style unit tests
  • Code is PEP 8 compliant
  • [N/A] New features are documented, with examples if plot related
  • [N/A] Documentation is sphinx and numpydoc compliant
  • [N/A] Added an entry to doc/users/next_whats_new/ if major new feature (follow instructions in README.rst there)
  • [N/A] Documented in doc/api/api_changes.rst if API changed in a backward-incompatible way

WeatherGod
WeatherGod approved these changes Jul 10, 2018
View reviewed changes
Copy link
Member

@WeatherGod WeatherGod left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. I agree that it is unlikely anything could go wrong here, but might as well fix it anyway since the shell=True wasn't even needed.

I'll leave separate the question of why we are using Popen, and not something like check_output(), but that can be for a different day.

timhoffm
timhoffm approved these changes Jul 10, 2018
View reviewed changes
Copy link
Member

@timhoffm timhoffm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need the shell here.

Note: This could nowadays be written using subprocess.run.

@tacaswell tacaswell added this to the v2.2.3 milestone Jul 10, 2018
@WeatherGod WeatherGod merged commit b3e900d into matplotlib:master Jul 11, 2018
@lumberbot-app
Copy link

lumberbot-app bot commented Jul 11, 2018

There seem to be a conflict, please backport manually

@WeatherGod
Copy link
Member

so, the conflict is that the v2.2.x code had the string literal wrapped with a str() constructor. Why did we do that?

@QuLogic
Copy link
Member Author

QuLogic commented Jul 11, 2018

Because Python 2 didn't like Unicode input.

@WeatherGod
Copy link
Member

WeatherGod commented Jul 11, 2018 via email

@QuLogic
Copy link
Member Author

QuLogic commented Jul 11, 2018

We were when the str was added: df27722 ; unicode literals was removed in fa92b90.

@WeatherGod
Copy link
Member

WeatherGod commented Jul 11, 2018 via email

QuLogic pushed a commit that referenced this pull request Jul 11, 2018
@WeatherGod
Merge pull request #11624 from QuLogic/unsafe-popen
08e6c6c 
Don't use Popen(..., shell=True).
QuLogic added a commit that referenced this pull request Jul 11, 2018
@QuLogic
Merge pull request #11634 from WeatherGod/backport_11624
bd4649c 
Backport #11624
@QuLogic QuLogic deleted the unsafe-popen branch April 16, 2021 21:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@WeatherGod WeatherGod WeatherGod approved these changes

@timhoffm timhoffm timhoffm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.2.3
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@QuLogic @WeatherGod @timhoffm @tacaswell