building strings with variable input
David M. Cooke
cookedm+news at physics.mcmaster.ca
Mon Jan 12 21:51:00 EST 2004
At some point, Erik Max Francis <max at alcyone.com> wrote:
> "David M. Cooke" wrote:
>
>> In which case he's probably better off with his original format
>> (almost):
>>
>> cmd = '"$executable" -start "$startTime" -end "$endTime" -dir \
>> "$directory"'
>> os.environ['executable'] = 'blah'
>> os.environ['startTime'] = '12'
>> os.environ['endTime'] = '18'
>> os.environ['directory'] = './'
>> os.system(cmd)
>
> This doesn't resolve the underlying possibility for mailicious people in
> control of the contents of those variables to get it to execute
> arbitrary shell code. (In his case he says it isn't an issue, but
> still.)
Do you mean something like
os.environ['startTime'] = '`rm -rf /`'
?
That 'rm -rf /' *won't* be executed: the shell will expand
"$startTime" to "`rm -rf /`", and that's it. Of course, if the
executable you're calling is a shell script that doesn't handle it's
arguments correctly, then you're in trouble. That means $executable is
bad practice -- you're allowing arbitrary commands to be called.
--
|>|\/|<
/--------------------------------------------------------------------------\
|David M. Cooke
|cookedm(at)physics(dot)mcmaster(dot)ca
More information about the Python-list
mailing list