Calling an application from inside a python script Take 1

[Donn Cave]

Quoth "Joel Ricker" <joejava at dragonat.net>:
| Donn Cave wrote in message <9351o8$8qm$1 at nntp6.u.washington.edu>...
|
|> try that and see what happens?  That's an intentionally hostile
|> input (don't try it, really.)  Accidental input errors might be harmless,
|> or might not.
|>
|> I didn't see anything wrong with the ssh in your initial post, the
|> problem was system().  system() + user-supplied input = unpredictable
|> results.  Use spawnv().
|
|
| I'm not sure if you are familar with perl but perl has a pragma called Taint
| that when enabled prohibits the use of user supplied input until the proper
| input is regexed out of it - for example, usernames shouldn't have any
| punctuation other than _ or control codes, etc.  I'm not sure exactly what
| Python has in this regard as this is Day 1 of my Perl Recovery Program (*s*)
| but its a mindset worth applying.

I'd like to see people try spawnv().  (Or spawnvp(), whatever.)

It's nice to be able to clean up input for the shell command line, and 
maybe it's even reliable enough.  As a mindset, I'm not sure.  If you
need to walk a high-wire, then a safety net is a good idea.  If you
actually could just cross at the street level, but everyone takes the
high-wire because they don't like to walk up and down the stairs and
there's a safety net, that puts the safety net in a different perspective.
You can still break your neck.

Until now, we could only say "system() is scary, but the alternatives
are complex and laborious."  Now 2.0 has a reasonably handy alternative.
It's safer, it's faster, would appear to be portable.  Say no to
system(), at least with calculated inputs.

	Donn Cave, donn at u.washington.edu