Popen - explicit env argument vs none?

[Panupat Chongstitwattana]

Hi guys.

I'm doing some simple test here and curious if there's any difference between these 2? 

os.environ["JOEY"] = "SOMETHING"

Popen( maya, shell=True )

and 

os.environ["JOEY"] = "SOMETHING"

Popen( maya, env.dict=dict(os.environ) )

1 thing I notice is that, with Shell=True, maya.exe process would appear under cmd. Does that change anything vs running under explorer.exe?

[Justin Israel]

On Sat, Nov 11, 2017 at 12:28 AM Panupat Chongstitwattana <panu...@gmail.com> wrote:

Hi guys.

I'm doing some simple test here and curious if there's any difference between these 2? 

os.environ["JOEY"] = "SOMETHING"

Popen( maya, shell=True )

and 

os.environ["JOEY"] = "SOMETHING"

Popen( maya, env.dict=dict(os.environ) )

I don't understand this syntax. Is that a typo, calling a param named env.dict? 

 

Are you just asking about the difference between shell=True/False, or also with passing an env dict?

Running a Popen(shell=True) will execute the command under a shell (or cmd.exe on windows). This allows the support of shell-specific constructs like pipes, variable expansion, aliases, shell startup scripts. It also has the potential for a security risk if you are accepted untrusted input for the command, since a user could tack on extra commands if you aren't careful.

Running with shell=False will do a basic fork/exec of a new process, which can only be a specific command and its arguments.

Passing an env dict to Popen is something you would do if you wanted to run the process in an environment that is different from the current process env. It is ideal to make a copy of the current env, modify the copy, and pass the copy to Popen, as opposed to modifying os.environ. It could also be a race condition to modify os.environ for the purpose of launching specific subprocesses.

1 thing I notice is that, with Shell=True, maya.exe process would appear under cmd. Does that change anything vs running under explorer.exe?

--
You received this message because you are subscribed to the Google Groups "Python Programming for Autodesk Maya" group.
To unsubscribe from this group and stop receiving emails from it, send an email to python_inside_m...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/python_inside_maya/64a6fd4e-7243-437e-8e01-a386e5f7d514%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Panupat Chongstitwattana]

Thank you Justin! You're right env.dic was my mistake.

Is the security risk a thing we should be concerned in a studio environment? Im trying to set up a system that would load the correct version of plug-ins for each project by launching Maya with custom Env.

[Justin Israel]

On Tue, Nov 14, 2017, 1:53 AM Panupat Chongstitwattana <panu...@gmail.com> wrote:

Thank you Justin! You're right env.dic was my mistake.

Is the security risk a thing we should be concerned in a studio environment?  Im trying to set up a system that would load the correct version of plug-ins for each project by launching Maya with custom Env.

It's only a concern if you generate your shell command based on arbitrary user input. And example is reading some kind of string from the command line flags and building that into your Popen command. If you are purely building the command internally and you aren't basing the command off of aliases or environment variables then its less of a risk. It's also less of a risk if it's not a privileged process. 

Why do you specifically need shell=True anyways? What does your command look like? If you are just building a single command to launch Maya under an env, and this program is just a bootstrap to launch Maya, then maybe what you want is on of the os.exec* functions, to exec a new program and replace the current one. 

--
You received this message because you are subscribed to the Google Groups "Python Programming for Autodesk Maya" group.
To unsubscribe from this group and stop receiving emails from it, send an email to python_inside_m...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/python_inside_maya/8efde786-eeed-48b4-bd03-51419ba44b87%40googlegroups.com.

[Panupat Chongstitwattana]

Thank you Justin. Appreciate your input. The Shell=True was out of curiosity since I see it being used in many script examples. 

On Tuesday, November 14, 2017 at 1:32:03 AM UTC+7, Justin Israel wrote:

On Tue, Nov 14, 2017, 1:53 AM Panupat Chongstitwattana <panu...@gmail.com> wrote:

Thank you Justin! You're right env.dic was my mistake.

Is the security risk a thing we should be concerned in a studio environment?  Im trying to set up a system that would load the correct version of plug-ins for each project by launching Maya with custom Env.

It's only a concern if you generate your shell command based on arbitrary user input. And example is reading some kind of string from the command line flags and building that into your Popen command. If you are purely building the command internally and you aren't basing the command off of aliases or environment variables then its less of a risk. It's also less of a risk if it's not a privileged process. 

Why do you specifically need shell=True anyways? What does your command look like? If you are just building a single command to launch Maya under an env, and this program is just a bootstrap to launch Maya, then maybe what you want is on of the os.exec* functions, to exec a new program and replace the current one. 

--
You received this message because you are subscribed to the Google Groups "Python Programming for Autodesk Maya" group.

To unsubscribe from this group and stop receiving emails from it, send an email to python_inside_maya+unsub...@googlegroups.com.

[Paul Molodowitch]

Definitely agree with Justin - you should be avoiding shell=True unless you need to use the shell syntax for some reason.  It's often used because sometimes people get lazy, and don't want to split a command up into separate strings, ie:

```python
Popen('ls /some/file', shell=True)

```

instead of

```python

Popen(['ls', '/some/file'])

```

However, the biggest problem is that if "/some/file" is from some sort of variable, you now need to make sure you properly escape it, ie:

```python
arg = '/some/file with a space.txt'

Popen('ls {}'.format(pipes.quote(arg)), shell=True)
```

...which most people don't bother doing - but you always should*.  So, short answer: always use shell=False unless you've got some good reason you want to use bash/cmd/whatever.  (Which reminds me, is another potential issue with shell=True - less cross platform compatibility.  Though, honestly, if you're calling out a process by name, 90% of the time you're going to need to make tweaks per-platform anyway...)

- Paul

*Also, I'm mostly just talking about accidental bugs (like the spaces in the filename), as opposed to security vulnerabilities / malicious intent.  I suspect that something like pipes.quote is fairly naive, and could probably be fooled by some determined hacker who knew all the details of string escaping on your particular platform / shell.

On Fri, Nov 17, 2017 at 1:03 AM Panupat Chongstitwattana <panu...@gmail.com> wrote:

Thank you Justin. Appreciate your input. The Shell=True was out of curiosity since I see it being used in many script examples. 

On Tuesday, November 14, 2017 at 1:32:03 AM UTC+7, Justin Israel wrote:

On Tue, Nov 14, 2017, 1:53 AM Panupat Chongstitwattana <panu...@gmail.com> wrote:

Thank you Justin! You're right env.dic was my mistake.

Is the security risk a thing we should be concerned in a studio environment?  Im trying to set up a system that would load the correct version of plug-ins for each project by launching Maya with custom Env.

It's only a concern if you generate your shell command based on arbitrary user input. And example is reading some kind of string from the command line flags and building that into your Popen command. If you are purely building the command internally and you aren't basing the command off of aliases or environment variables then its less of a risk. It's also less of a risk if it's not a privileged process. 

Why do you specifically need shell=True anyways? What does your command look like? If you are just building a single command to launch Maya under an env, and this program is just a bootstrap to launch Maya, then maybe what you want is on of the os.exec* functions, to exec a new program and replace the current one. 

--
You received this message because you are subscribed to the Google Groups "Python Programming for Autodesk Maya" group.

To unsubscribe from this group and stop receiving emails from it, send an email to python_inside_m...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/python_inside_maya/8efde786-eeed-48b4-bd03-51419ba44b87%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Python Programming for Autodesk Maya" group.

To unsubscribe from this group and stop receiving emails from it, send an email to python_inside_m...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/python_inside_maya/fa8da1bf-c587-4b14-83bb-4be6d31f75b9%40googlegroups.com.