Calling CLI tools may be insecure #152
Comments
KOLANICH
changed the title
|
Thanks for reporting this @KOLANICH! #133 replaces the subprocess call with an API call. Though the ghostscript library for Python is available only on PyPI and not on any conda channels (correct me if I'm wrong). I'm thinking of either create a conda recipe and submitting to conda-forge or maybe vendorizing the library code. The best thing would be to replace ghostscript altogether #96. Would you like to take this up? |
|
The bindings are pure python (no compiled extension involved, ctypes are used) so I guess sdist is OK. But we have a problem. The bindings have no docs, and we wanna avoid creating any files doing everything in memory. So the API currently used is unsuitable. |
|
Let's continue the discussion at #133, closing this. |
|
On second thought, let me reopen this till we have a solution for the ghostscript problem. |
Calling CLI tools and passing them arguments via CLI may be insecure. API should be used and it seems that ghostscript has one and python bindings too.
The text was updated successfully, but these errors were encountered: