Yet Another Command Line Parser
Manlio Perillo
NOmanlio_perilloSPAM at libero.it
Tue Oct 26 16:42:12 EDT 2004
On Tue, 26 Oct 2004 19:33:42 GMT, Andrew Dalke <adalke at mindspring.com>
wrote:
>Manlio Perillo wrote:
>> # add spaces to avoids errors like: 1 2, 3 4 -> (12, 34)
>> _options = ' '.join(sys.argv[1:])
>>
>> def call(func):
>> """
>> Call func, passing to it the arguments from the command line
>> """
>> exec('func(' + _options + ')')
>
>> The only problem is that error messages are ugly.
>
>And it's a huge security hole.
I know that executing arbitrary code is a security hole.
However it is intended for 'personal' use.
In this way for my scripts I have only to write a single line of code
for options handling.
Later, for production code, one can use getopt.
>What if I did
>
>
>script.py "x=6)\
>import os
>os.system('ls -l')"
>
A solution is to use eval, but this does not handle keyword arguments.
>Even if not a security hole, it's tricky to handle the
>combined shell and Python escaping rules
>
> script.py x="This is a string"
>
>won't work, while
>
> script.py 'x="This is a string"'
>
>should. Embedding ! and \escaped characters should be
>even more fun.
>
I'm not a shell expert, but the solution isn't simply to use ' or ''?
script.py x='\n'
Thanks and regards Manlio Perillo
More information about the Python-list
mailing list