mlollo
commented
3 years ago Implemented in ufw-update-onrestart
Closed mlollo closed 3 years ago
mlollo
commented
3 years ago Implemented in ufw-update-onrestart
I was wondering if I could improve speed using shell=False in subprocess.run and I stumbled in this thread : piping in shell via Python subprocess module. And now I understand why all the parsing is important. Because someone could try to inject commands in those docker labels and try to run something with higher privilege. If somehow those input validation are broken in the future, could it be a good idea to use subprocess.run with shell=False ? Because without shell piping is not working. This could prevent a scenario like this and probably improve speed.