[Tutor] Re: Help with ping...

[Scott Widney]

> 
>   os.system("ping %s" % url )
>                      ^^^^^^^^
> 
> Of course, any time you execute a string from the user you risk a
> security breach.  Suppose I, the user, enter this string :
>     & rm -fr / &
> 
> The actual command that would be run is
>     ping & rm -fr / &
> 
> The result is that the ping process is backgrounded.  It prints an
> error because it has no arguments.  At the same time an rm process is
> started and backgrounded.  This is very bad, particularly if you ran
> the script as root.
> 
> Just beware of user input at all times!  :-)

And in this particular instance you could "import urlparse" and run the
users' input through it. If it can't be parsed, don't send it to ping.


Scott