Securely passing arguments when opening a pipe to a program
Donn Cave
donn at u.washington.edu
Fri Mar 1 16:21:45 EST 2002
Quoth Joonas Paalasmaa <joonas at olen.to>:
| I am using Gnokii to send SMS messages with Python. Gnokii is started
| with
| popen2.popen2 like this:
|
| gnokiiRead, gnokiiWrite = popen2.popen2("gnokii --sendsms %s" %
| phonenumber)
| gnokiiWrite.write(message)
| gnokiiWrite.close()
| response = gnokiiRead.read()
| gnokiiRead.close()
|
| The problem is that the phonenumber string is not safe; it can even be
| "000; rm -fR ~/*". How can I securely pass arguments when opening the
| pipe?
| Is there a way to pass the arguments like in os.execv.
Yes! I hear this isn't documented as well as it could be, but
popen2 accepts either a string or a sequence, and in the latter
case the sequence is argv, like in os.execv.
Donn Cave, donn at u.washington.edu
More information about the Python-list
mailing list