Path: csiph.com!usenet.pasdenom.info!weretis.net!feeder4.news.weretis.net!ecngs!feeder2.ecngs.de!newsfeed.freenet.ag!news2.euro.net!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <chris@rebertia.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.015
X-Spam-Evidence: '*H*': 0.97; '*S*': 0.00; 'third-party': 0.04; 'url:bitbucket': 0.05; 'purpose.': 0.07; 'string': 0.09; 'escape': 0.09; 'special,': 0.09; 'yeah,': 0.09; 'cc:addr:python-list': 0.11; 'simpson': 0.16; 'url)': 0.16; 'url:css': 0.16; 'url:py': 0.16; 'wrote:': 0.18; 'module': 0.19; '(but': 0.19; "skip:' 30": 0.19; 'command': 0.22; 'code,': 0.22; 'shell': 0.22; 'cc:addr:python.org': 0.22; 'cheers,': 0.24; 'cc:2**0': 0.24; 'cc:no real name:2**0': 0.24; 'this:': 0.26; 'asking': 0.27; 'header:In-Reply-To:1': 0.27; 'function': 0.29; 'chris': 0.29; 'character': 0.29; '(like': 0.30; 'message-id:@mail.gmail.com': 0.30; "skip:' 10": 0.31; 'bunch': 0.31; 'skip:q 20': 0.31; 'writes:': 0.31; 'url:python': 0.33; 'ago': 0.33; 'fri,': 0.33; 'subject:with': 0.35; 'received:google.com': 0.35; 'url:org': 0.36; 'example,': 0.37; 'generic': 0.38; 'url:library': 0.38; 'pm,': 0.38; 'anything': 0.39; 'bad': 0.39; 'quote': 0.39; 'url:3': 0.61; 'john': 0.61; "you'll": 0.62; 'email addr:gmail.com': 0.63; 'special': 0.74; 'yourself': 0.78; 'hand': 0.80; '3:00': 0.84; 'commands.': 0.84; 'sender:addr:chris': 0.84; 'url:quote': 0.84; 'shell,': 0.91; '2013': 0.98
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rebertia.com; s=google; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=sSj7U0HLVVlmx6XVrQqXJBW6wf9p3ft74xlOXZOg9Jw=; b=NpJRiJseGdFitpr7QIv6yaPO5qbUesDPviMsCkZZXhl4SvHooyFO8xUuFJn0mFeb+a 86O0K2MnC2NUu0z7vnh3SBmxxxKnYoNvj5qT2A5WCjHs/cmmtR8/CFpa3zgSdSuMsRz2 OWh7mMsZSMAp5YeWUXnNLShjWr8pUWb/QFuB8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :x-gm-message-state; bh=sSj7U0HLVVlmx6XVrQqXJBW6wf9p3ft74xlOXZOg9Jw=; b=NVlaUj6lPHJZ5sGbZNxHURqTRVTE3afOqqqLS6OI7B0LJmxY1lkgwkjf/DAmKp8t7J 7N1DTABCwbF3tAYOSq7A0kU00KNVuOvwkkMAGkE50G3Q8c6aLa7EmnNURCRsW5g7nk3X IFStoVhGCv1nXPQAXtOQIGahDMPM0izhYaC43LFshzzwQtXsRO4qfggXZEUeMSHshtMd WbSnf7DJlxL7Xc2djvGtuSwnBaHmMfL/ocZZXdbAj/E0EgmO1fS/dqp0UXSLbH0HRVi6 iAeK5rLrGIoeQrTg8KnZ4niACKxdyglPyUvRVRT0XXst85k6jnoazJBsfZExzPtTboIs haWg==
MIME-Version: 1.0
X-Received: by 10.42.24.10 with SMTP id u10mr6582935icb.30.1365204988668; Fri, 05 Apr 2013 16:36:28 -0700 (PDT)
Sender: chris@rebertia.com
In-Reply-To: <20130405220039.GA95779@cskk.homeip.net>
References: <kjcqh6$g2n$1@reader1.panix.com> <20130405220039.GA95779@cskk.homeip.net>
Date: Fri, 5 Apr 2013 16:36:28 -0700
X-Google-Sender-Auth: R9q2gPoWScweg-hmd8pk0Q2qy2I
Subject: Re: os.system() with imbeded quotes on centos
From: Chris Rebert <clp2@rebertia.com>
To: Cameron Simpson <cs@zip.com.au>
Content-Type: text/plain; charset=UTF-8
X-Gm-Message-State: ALoCoQkRUUaST2Wgp2kyHgPRhGlSiUztkoIofFuhnkiOB4YaelXLZYVBoVaTmxwL0LPUaPicofGE
Cc: python-list@python.org
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.168.1365204992.3114.python-list@python.org>
Lines: 38
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1365204992 news.xs4all.nl 6857 [2001:888:2000:d::a6]:60722
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:42863

On Fri, Apr 5, 2013 at 3:00 PM, Cameron Simpson <cs@zip.com.au> wrote:
> On 01Apr2013 20:26, John Gordon <gordon@panix.com> wrote:
> | In <0c9717ca-52dd-49ce-8102-e1432883858a@googlegroups.com> cevyne@gmail.com writes:
> | > someip = '192.168.01.01'
> | > var1 = 'lynx -dump http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++  > junk'
> |
> | '&' is a special character in shell commands.  You'll need to quote or
> | escape it.
>
> Or better still, use the subprocess module and avoid going via the
> os.system() altogether:
>
>   http://docs.python.org/2/library/subprocess.html#popen-constructor
>
> If you must go via the os.system(), write yourself a generic function
> to quote a string for the shell, and to quote a bunch of strings
> (essentially " ".join( quoted-individual-strings )). And use it
> rigorously.
>
> Anything else is asking for shell injection attacks/errors, just
> as bad as hand constructing SQL statements.
>
> For example, if I must construct a shell command from arbitrary
> strings (like your URL) I use quote() from this:
>
>   https://bitbucket.org/cameron_simpson/css/src/tip/lib/python/cs/sh.py
>
> That code's nothing special, just what I rolled some years ago for
> exactly this purpose.

No need for third-party code, just use the std lib:
http://docs.python.org/2/library/pipes.html#pipes.quote
http://docs.python.org/3/library/shlex.html#shlex.quote

(But yeah, best of all is to just use `subprocess` with shell=False.)

Cheers,
Chris