Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #42856
| Path | csiph.com!usenet.pasdenom.info!weretis.net!feeder4.news.weretis.net!rt.uk.eu.org!newsfeed.xs4all.nl!newsfeed4.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <cameron@cskk.homeip.net> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.007 |
| X-Spam-Evidence | '*H*': 0.99; '*S*': 0.00; 'url:bitbucket': 0.05; 'incompatible': 0.07; 'purpose.': 0.07; 'url:msdn': 0.07; 'string': 0.09; 'escape': 0.09; 'special,': 0.09; '6.0': 0.16; 'from:addr:cs': 0.16; 'from:addr:zip.com.au': 0.16; 'from:name:cameron simpson': 0.16; 'message-id:@cskk.homeip.net': 0.16; 'mode,': 0.16; 'simpson': 0.16; 'url)': 0.16; 'url:css': 0.16; 'url:py': 0.16; 'wrote:': 0.18; 'module': 0.19; "skip:' 30": 0.19; 'command': 0.22; 'cc:addr:gmail.com': 0.22; 'shell': 0.22; 'header:User-Agent:1': 0.23; 'cheers,': 0.24; 'cc:2**0': 0.24; 'cc:no real name:2**0': 0.24; 'specially': 0.26; 'this:': 0.26; 'asking': 0.27; 'header:In-Reply-To:1': 0.27; 'function': 0.29; 'character': 0.29; '(like': 0.30; 'waste': 0.30; "skip:' 10": 0.31; 'bunch': 0.31; 'correctly.': 0.31; 'george': 0.31; 'skip:q 20': 0.31; 'writes:': 0.31; 'file': 0.32; 'url:python': 0.33; 'ago': 0.33; 'core': 0.34; 'subject:with': 0.35; 'editor': 0.35; 'charset:us-ascii': 0.36; 'url:org': 0.36; 'example,': 0.37; 'url:microsoft': 0.37; 'generic': 0.38; 'url:library': 0.38; 'to:addr:python-list': 0.38; 'anything': 0.39; 'bad': 0.39; 'quote': 0.39; 'visual': 0.39; 'to:addr:python.org': 0.39; 'john': 0.61; 'content-disposition:inline': 0.62; "you'll": 0.62; 'email addr:gmail.com': 0.63; 'such': 0.63; 'special': 0.74; 'url:asp': 0.77; 'yourself': 0.78; 'hand': 0.80; 'commands.': 0.84; 'safe.': 0.84; 'skip:/ 30': 0.84; 'shell,': 0.91 |
| Date | Sat, 6 Apr 2013 09:00:39 +1100 |
| From | Cameron Simpson <cs@zip.com.au> |
| To | python-list@python.org |
| Subject | Re: os.system() with imbeded quotes on centos |
| MIME-Version | 1.0 |
| Content-Type | text/plain; charset=us-ascii |
| Content-Disposition | inline |
| In-Reply-To | <kjcqh6$g2n$1@reader1.panix.com> |
| User-Agent | Mutt/1.5.21 (2010-09-15) |
| References | <kjcqh6$g2n$1@reader1.panix.com> |
| Cc | cevyne@gmail.com |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.15 |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.162.1365200298.3114.python-list@python.org> (permalink) |
| Lines | 43 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1365200298 news.xs4all.nl 6890 [2001:888:2000:d::a6]:37096 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | csiph.com comp.lang.python:42856 |
Show key headers only | View raw
On 01Apr2013 20:26, John Gordon <gordon@panix.com> wrote: | In <0c9717ca-52dd-49ce-8102-e1432883858a@googlegroups.com> cevyne@gmail.com writes: | > someip = '192.168.01.01' | > var1 = 'lynx -dump http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk' | | '&' is a special character in shell commands. You'll need to quote or | escape it. Or better still, use the subprocess module and avoid going via the os.system() altogether: http://docs.python.org/2/library/subprocess.html#popen-constructor If you must go via the os.system(), write yourself a generic function to quote a string for the shell, and to quote a bunch of strings (essentially " ".join( quoted-individual-strings )). And use it rigorously. Anything else is asking for shell injection attacks/errors, just as bad as hand constructing SQL statements. For example, if I must construct a shell command from arbitrary strings (like your URL) I use quote() from this: https://bitbucket.org/cameron_simpson/css/src/tip/lib/python/cs/sh.py That code's nothing special, just what I rolled some years ago for exactly this purpose. The core lesson is: never waste time figuring out _whether_ you need to treat shell strings specially. Just treat them specially and consistently and be safe. Cheers, -- Cameron Simpson <cs@zip.com.au> -- cat: /Users/cameron/rc/mail/signature.: No such file or directory The Design View editor of Visual InterDev 6.0 is currently incompatible with Compatibility Mode, and may not function correctly. - George Politis <george@research.canon.com.au>, 22apr1999, quoting http://msdn.microsoft.com/vstudio/technical/ie5.asp
Back to comp.lang.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
os.system() with imbeded quotes on centos cevyne@gmail.com - 2013-04-01 12:22 -0700
Re: os.system() with imbeded quotes on centos Chris Angelico <rosuav@gmail.com> - 2013-04-02 06:33 +1100
Re: os.system() with imbeded quotes on centos John Gordon <gordon@panix.com> - 2013-04-01 20:26 +0000
Re: os.system() with imbeded quotes on centos Cameron Simpson <cs@zip.com.au> - 2013-04-06 09:00 +1100
Re: os.system() with imbeded quotes on centos Chris Rebert <clp2@rebertia.com> - 2013-04-05 16:36 -0700
csiph-web