Python vs Julia Observations
Erik Engheim
647

Do feel welcome to propose your changes to the Python Community for 3.7

Regarding the enforcement of separating command line tokens within OS.call: IIRC it is a default security feature that can be disabled through an optional argument. For instance, a webpage uses Javascript to sanitize user input which is piped to the Python backend and executed with OS.call. The user is supposed to just enter a domain to NSLOOKUP but instead they disable the Javascript and send ‘google.com;echo /etc/passwd’ in order to get a list of system users and begin a brute force attack. Thankfully this is prevented by the default security measure. If disabled, you can simply pass a string as the call parameter in the manner you described.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.