os.system() with imbeded quotes on centos
Cameron Simpson
cs at zip.com.au
Fri Apr 5 18:00:39 EDT 2013
On 01Apr2013 20:26, John Gordon <gordon at panix.com> wrote:
| In <0c9717ca-52dd-49ce-8102-e1432883858a at googlegroups.com> cevyne at gmail.com writes:
| > someip = '192.168.01.01'
| > var1 = 'lynx -dump http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk'
|
| '&' is a special character in shell commands. You'll need to quote or
| escape it.
Or better still, use the subprocess module and avoid going via the
os.system() altogether:
http://docs.python.org/2/library/subprocess.html#popen-constructor
If you must go via the os.system(), write yourself a generic function
to quote a string for the shell, and to quote a bunch of strings
(essentially " ".join( quoted-individual-strings )). And use it
rigorously.
Anything else is asking for shell injection attacks/errors, just
as bad as hand constructing SQL statements.
For example, if I must construct a shell command from arbitrary
strings (like your URL) I use quote() from this:
https://bitbucket.org/cameron_simpson/css/src/tip/lib/python/cs/sh.py
That code's nothing special, just what I rolled some years ago for
exactly this purpose.
The core lesson is: never waste time figuring out _whether_ you
need to treat shell strings specially. Just treat them specially
and consistently and be safe.
Cheers,
--
Cameron Simpson <cs at zip.com.au>
--
cat: /Users/cameron/rc/mail/signature.: No such file or directory
The Design View editor of Visual InterDev 6.0 is currently incompatible
with Compatibility Mode, and may not function correctly.
- George Politis <george at research.canon.com.au>, 22apr1999,
quoting http://msdn.microsoft.com/vstudio/technical/ie5.asp
More information about the Python-list
mailing list