building strings with variable input
David M. Cooke
cookedm+news at physics.mcmaster.ca
Tue Jan 13 09:49:36 EST 2004
At some point, Erik Max Francis <max at alcyone.com> wrote:
> "David M. Cooke" wrote:
>
>> Do you mean something like
>> os.environ['startTime'] = '`rm -rf /`'
>> ?
>
> No, I mean something like
>
> os.environ['startTime'] = '"; rm -rf /; : "'
>
> The lesson to be learned here is: Do not build shell commands from
> untrusted inputs. Ever.
Doesn't work:
>>> os.environ['string'] = '"; uname; : "'
>>> os.system('echo "$string"')
"; uname; : "
Although the advice of not building shell commands is still prudent;
just because none of mine or your methods to defeat haven't worked,
doesn't mean there isn't a technique that will.
It's also dependent on having a good shell -- I'm using bash 2.05b.0.
--
|>|\/|<
/--------------------------------------------------------------------------\
|David M. Cooke
|cookedm(at)physics(dot)mcmaster(dot)ca
More information about the Python-list
mailing list