Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #42856
| Date | 2013-04-06 09:00 +1100 |
|---|---|
| From | Cameron Simpson <cs@zip.com.au> |
| Subject | Re: os.system() with imbeded quotes on centos |
| References | <kjcqh6$g2n$1@reader1.panix.com> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.162.1365200298.3114.python-list@python.org> (permalink) |
On 01Apr2013 20:26, John Gordon <gordon@panix.com> wrote: | In <0c9717ca-52dd-49ce-8102-e1432883858a@googlegroups.com> cevyne@gmail.com writes: | > someip = '192.168.01.01' | > var1 = 'lynx -dump http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk' | | '&' is a special character in shell commands. You'll need to quote or | escape it. Or better still, use the subprocess module and avoid going via the os.system() altogether: http://docs.python.org/2/library/subprocess.html#popen-constructor If you must go via the os.system(), write yourself a generic function to quote a string for the shell, and to quote a bunch of strings (essentially " ".join( quoted-individual-strings )). And use it rigorously. Anything else is asking for shell injection attacks/errors, just as bad as hand constructing SQL statements. For example, if I must construct a shell command from arbitrary strings (like your URL) I use quote() from this: https://bitbucket.org/cameron_simpson/css/src/tip/lib/python/cs/sh.py That code's nothing special, just what I rolled some years ago for exactly this purpose. The core lesson is: never waste time figuring out _whether_ you need to treat shell strings specially. Just treat them specially and consistently and be safe. Cheers, -- Cameron Simpson <cs@zip.com.au> -- cat: /Users/cameron/rc/mail/signature.: No such file or directory The Design View editor of Visual InterDev 6.0 is currently incompatible with Compatibility Mode, and may not function correctly. - George Politis <george@research.canon.com.au>, 22apr1999, quoting http://msdn.microsoft.com/vstudio/technical/ie5.asp
Back to comp.lang.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
os.system() with imbeded quotes on centos cevyne@gmail.com - 2013-04-01 12:22 -0700
Re: os.system() with imbeded quotes on centos Chris Angelico <rosuav@gmail.com> - 2013-04-02 06:33 +1100
Re: os.system() with imbeded quotes on centos John Gordon <gordon@panix.com> - 2013-04-01 20:26 +0000
Re: os.system() with imbeded quotes on centos Cameron Simpson <cs@zip.com.au> - 2013-04-06 09:00 +1100
Re: os.system() with imbeded quotes on centos Chris Rebert <clp2@rebertia.com> - 2013-04-05 16:36 -0700
csiph-web