Finding `dot` fails for conda install of `graphviz` on Windows about graphviz HOT 4 CLOSED

Thanks. This concerns downstream conda-forge/python-graphviz and the anaconda Graphviz package introducing the .bat wrappers (a vanilla Graphviz installation uses plain .exe binaries).

Looks like the issue is already known downstream: conda-forge/python-graphviz-feedstock#2
It might be better to fix it there. As for the implementation, it might be better to append .bat to the engine command on Windows in that package, or fall back to launch with .bat as you proposed (the patch in the pull request uses shell=True, which AFAICS may be a security risk).

from graphviz.

Thanks for pointing out the downstream issue, I wasn't sure where to best submit it. Regarding security risk of shell=True, that should not be an issue as the arguments are validated against a whitelist here, effectively preventing the risk of a shell code-injection.

That said, executables on Windows almost always have an extension, and Popen on Windows says extensions are significant. As such, having this package enforce extension-less engine commands seem counter-intuitive (i.e. this will be an issue on Windows irregardless of whether Graphviz was installed by Conda or not).

from graphviz.

Update: I read the docs again, and Popen on Windows (CreateProcess) does imply .exe if the extension is missing, so it might be acceptable to not include an extension for the engine.

from graphviz.

Yes, this machine here is actually running Windows, so I'm sure it works with vanilla Graphviz. :)

Right, the executables are whitelisted, but I imagine that a user-provided filename could be (ab)used for some kind of shell injection (but I am no security expert).

Added my proposed fix here (so this can be closed): conda-forge/python-graphviz-feedstock#6

from graphviz.