subprocess with shell=True
Bug #1908848 reported by
hanchl
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Horizon uses subprocess with shell=True in openstack_
Handle contains command with a double quote, either accidentally or maliciously, the command will be executed with shell=True. Bandit think it's insecure. For more information on subprocess, shell=True and command injection see: https:/
To post a comment you must log in.
This looks like a generic warning on shell=True for subprocess and there is no practical suggestion.
shell=True is used in udpate_catalog and extract_catalog but they need to be executed on a shell. We cannot run these commands without shell=True. These commands are used only for maintenance by operators and there is no chance to inject malicious commands.