building strings with variable input
Erik Max Francis
max at alcyone.com
Mon Jan 12 14:45:01 EST 2004
"David M. Cooke" wrote:
> In which case he's probably better off with his original format
> (almost):
>
> cmd = '"$executable" -start "$startTime" -end "$endTime" -dir \
> "$directory"'
> os.environ['executable'] = 'blah'
> os.environ['startTime'] = '12'
> os.environ['endTime'] = '18'
> os.environ['directory'] = './'
> os.system(cmd)
This doesn't resolve the underlying possibility for mailicious people in
control of the contents of those variables to get it to execute
arbitrary shell code. (In his case he says it isn't an issue, but
still.)
--
__ Erik Max Francis && max at alcyone.com && http://www.alcyone.com/max/
/ \ San Jose, CA, USA && 37 20 N 121 53 W && &tSftDotIotE
\__/ It was involuntary. They sank my boat.
-- John F. Kennedy (on how he became a war hero)
More information about the Python-list
mailing list