Escaping strings to be used in shell commands?
Timothy Grant
tjg at exceptionalminds.com
Thu Apr 12 11:23:37 EDT 2001
On Thu, Apr 12, 2001 at 03:02:43PM +0000, Brian Langenberger wrote:
> Gabriel Ambuehl <gabriel_ambuehl-py at buz.ch> wrote:
> : -----BEGIN PGP SIGNED MESSAGE-----
>
> : Hello,
> : I wonder what is the easiest way to escape user submitted strings so I
> : can
> : safely use them in os.system() calls. Limiting the allowed chars isn't
> : feasible since I want them to use as safe passwords as possible and
> : those generally DO consist of special chars. Any good ideas how I
> : could solve this?
>
> Try checking into the crypt or md5 modules and try encrypting the
> password from within python. Someone might actually want their
> password to be ";rm -rf *", which is harmless to pass to crypt()
> but undesirable to send to os.system().
Even given this caveat, the md5crypt module will generate
strings that can't be passed directly to os.system()--the
dollar signs must be escaped. Having just been through this a
couple of weeks ago, the following regex solved the problem.
re.sub(r'\$', '\$', password.)
--
Stand Fast,
tjg.
Timothy Grant tjg at exceptionalminds.com
Chief Technology Officer www.exceptionalminds.com
HyperLINq Technologies, Inc. <>< (503) 246-3630
>>>>>>>>>>>>>Linux, because rebooting is *NOT* normal<<<<<<<<<
>>>>This machine was last rebooted: 15 days 17:31 hours ago<<
More information about the Python-list
mailing list