should these be fixed for python 2.4?
Andrew Dalke
adalke at mindspring.com
Fri Oct 1 19:58:00 EDT 2004
Jeff Shannon wrote:
> Personally, I suspect that the number of people who're running external
> commands that are complex enough for these escaping issues to matter is
> rather small. The vast majority of uses of os.system() (IMHO) are very
> simple cases with one or two simple arguments.
I end up making a lot of system() and popen*() calls. Looking
through the 30 or so cases (our of about 6800 LOC) I see that most
of them use hard coded parameters that don't need escaping.
Some of them do you commands.mkarg (the only function I know of in the
standard library that does shell escaping). Those are passed
user-defined filenames.
I would rather not assume the user knows enough to not pass
filenames with a " " or a ";". Sounds like walking too shaky
a tightrope, and making the system open to subtle security
attacks.
Andrew
dalke at dalkescientific.com
More information about the Python-list
mailing list