Escaping strings to be used in shell commands?
Andrew Dalke
dalke at acm.org
Thu Apr 12 16:26:00 EDT 2001
Gabriel Ambuehl asked:
>I wonder what is the easiest way to escape user submitted
>strings so I can safely use them in os.system() calls.
Here's an obscure one, commands.mkarg
>>> "cp %s %s" % (commands.mkarg("; rm -rf $HOME"), commands.mkarg("'*"))
'cp \'; rm -rf $HOME\' "\'*"'
>>>
Note that it adds an extra space at the beginning of quoted
word.
Head Brian Langenberger's caution:
> That's better, of course, but I'm all in favor of not putting
> passwords, hashed or otherwise, through os.system() whatsoever.
> Any command-line arguments can show up in "ps", and having that
> sort of info flying around can't be a good idea.
Andrew
dalke at acm.org
More information about the Python-list
mailing list