Problem with popen() and a regular expression
Donn Cave
donn at u.washington.edu
Wed Mar 6 13:09:00 EST 2002
Quoth Joonas Paalasmaa <joonas at olen.to>:
| Simon Willison wrote:
|> Joonas Paalasmaa wrote:
|>> Simon Willison wrote:
|>>| I've written a simple Python script to scan a bunch of URLs for "live"
|>>| sites and grab the title of those pages. It works by using popen() to
|>>| call lynx and analyse the HTTP response:
|>>|
|>>| -----------------------------------------------------------------
|>>|
|>>| command = "/opt/bin/lynx -mime_header http://www.bath.ac.uk/~"+user+"/"
|>>
|>>
|>> Use:
|>>
|>> command=["/opt/bin/lynx","-mime_header","http://www.bath.ac.uk/~"+user+"/"]
|>>
|>> for better security.
|>
|> I'm a Python newbie :) How does that makes things more secure?
|
| If you pass a string to os.popen as the first argument, the process is
| envoiked
| by by running the argument in shell. That can cause problems if the
| string is composed from non-safe variables. Imagine situation where
| variable 'user' is "; rm -fR ~/; echo ". That causes command
| "/opt/bin/lynx -mime_header http://www.bath.ac.uk/~; rm -fR ~/; echo /"
| to be run in shell.
| But if a list is passed to os.popen, os.popen will run a program named
| in the first item of
| the list with the rest of the list as arguments.
TypeError: popen() argument 1 must be string, not list
You meant os.popen2(), not os.popen().
Donn Cave, donn at u.washington.edu
More information about the Python-list
mailing list