PR #4670 merged into devel

[Edward K. Ream]

​PR #4670 removes the shell=True kwarg from almost all calls to subprocess.Popen, including the call within g.execute_shell_commands. As discussed in the PR, these are breaking changes to Leo's scripting API.

This pattern persisted because I foolishly cut and pasted code over the years. Now I know better: Leo's code allows shell=True only where the to-be-executed code contains static calls to Windows console commands.

​

This PR fixes various potential security holes. The at_produce.py, mime.py, and run_nodes.py plugins were especially concerning.

As I write this, I see another possible security vulnerability. Suppose somebody starts a long-running Leo server (leoserver.py). How does that server guard against malicious scripts? Any comments?

Please continue testing the "devel" branch!

Edward