how to invoke the shell command and then get the result in python
Nick Craig-Wood
nick at craig-wood.com
Wed Dec 6 05:30:04 EST 2006
Fredrik Lundh <fredrik at pythonware.com> wrote:
> petercable at gmail.com wrote:
>
> > Assuming the script isn't setuid, this would do no more damage than the
> > user could do directly on the command line.
>
> except that when the user is typing things into the command line, he
> *knows* that he's typing things into the command line.
Aye!
Who is to say that this script won't get re-used innocently in a web
application?
And in this particular example we were talking about typing regular
expressions into the shell, which have many of the same metacharacters
as the shell. So even an innocent use of the above can cause
problems.
Just say no to passing user input (from anywhere at all) via the
shell! That (along with SQL injection attacks which are very similar
in concept) is one of the most common security attacks for scripting
languages like Python when used in a web environment.
--
Nick Craig-Wood <nick at craig-wood.com> -- http://www.craig-wood.com/nick
More information about the Python-list
mailing list