subprocess.call is also vulnerable to this, though. It calls out to bash.

panzi · on Sept 30, 2014

Vulnerable to what? The the environment variable problem? I was talking about program argument parsing. os.system("ls %s" % foo) != subrocess.call(["ls",foo])

meowface · on Oct 1, 2014

Ah, I misunderstood then. I agree with you on that point. I assumed you were talking about "Shellshock".

Redoubts · on Sept 27, 2014

I believe you would need to explicitly pass shell=True for that though.

meowface · on Sept 28, 2014

Nope, it's not necessary. Test it with a vulnerable CGI app and call:

subprocess.call(["date"])

Or if bash is not your default shell:

subprocess.call(["bash", "-c", "date"])