[issue40363] shlex.quote applied to a glob pattern disables glob matching
Rémi Lapeyre
report at bugs.python.org
Wed Apr 22 11:39:56 EDT 2020
Rémi Lapeyre <remi.lapeyre at henki.fr> added the comment:
shlex.quote makes the string safe to pass a command, what if it's
rm 'var/log/syslog*'
instead?
You make sure that only the file given would be removed but then shlex.quote() shoot you in the foot.
This would also cause issues for files with '*' or another special characters in the name, you would not be able to pass their name anymore.
Also, not all shells have the same glob patterns and some of them are actually configurable to enable more patterns, so it would be impossible to know what to escape or not, shlex.quote() just quote everything unconditionnaly
If you want to allow '*' at the end or inside the pattern I think the best way is to look for it in your application, split (or take the prefix if you only want to allow it in the end), use shlex.quote() on the parts and concatenate with '*'.
----------
nosy: +remi.lapeyre
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue40363>
_______________________________________
More information about the Python-bugs-list
mailing list