Path: csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!aioe.org!feeder.news-service.com!newsfeed.xs4all.nl!newsfeed5.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.043 X-Spam-Evidence: '*H*': 0.92; '*S*': 0.00; 'escape': 0.04; 'skip:` 10': 0.07; 'am,': 0.13; 'wrote:': 0.15; '"\\n")': 0.16; 'bizarre': 0.16; 'input.': 0.16; 'rachel': 0.16; 'skip:\xc2 30': 0.16; 'strs': 0.16; 'argument': 0.16; 'cc:addr:python-list': 0.16; '>>>': 0.16; 'def': 0.16; 'aug': 0.19; 'true,': 0.19; 'cheers,': 0.19; 'cc:2**0': 0.21; 'cc:no real name:2**0': 0.22; "doesn't": 0.22; 'header:In-Reply-To:1': 0.22; 'stuff': 0.22; 'function': 0.26; 'thu,': 0.28; 'yourself.': 0.28; 'message- id:@mail.gmail.com': 0.28; 'shell': 0.29; 'cc:addr:python.org': 0.30; 'chris': 0.32; 'things': 0.34; 'agree': 0.35; 'doing': 0.37; 'but': 0.37; 'received:google.com': 0.38; 'received:209.85': 0.38; 'user': 0.38; 'subject:: ': 0.38; '8bit%:6': 0.39; 'case': 0.39; 'received:209': 0.40; 'where': 0.40; 'your': 0.60; 'skip:$ 10': 0.63; 'subject:The': 0.73; 'unnecessary': 0.73; '19:27': 0.84; 'escaping': 0.84; 'schrieb': 0.84; 'sender:addr:chris': 0.84; 'trusted,': 0.84; 'url:rebertia': 0.84; 'received:209.85.218.46': 0.91; 'received:mail-yi0-f46.google.com': 0.91; 'to:none': 0.93 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rebertia.com; s=google; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:cc:content-type :content-transfer-encoding; bh=9eX1OnUO5NRUAU9sTBCHTU4KrsY250dbyIsPg0p9rNM=; b=YYD9OvBg2n2EWvh+Syq0Gq0WEyoYlWksXl0zX7R84FJwBDoy+lqMjMW9Ai30b+cRq0 CyhRYqTUbqAThPuoVv6x8X78tiqEf8rbG7OdP9LIEy4pYLfiiPdzMgoaQG8AdudkOi+X 270m52A+a0K2kTd0Uxdi10b+I8HjU7/pEGmm0= MIME-Version: 1.0 Sender: chris@rebertia.com In-Reply-To: References: <51b2d157-3fea-4f8e-80b4-e7142629eca8@s21g2000pre.googlegroups.com> Date: Thu, 4 Aug 2011 01:42:34 -0700 X-Google-Sender-Auth: 8i1JMtBqmtcUb6Qsd8ROgoBRXaM Subject: Re: Snippet: The leanest Popen wrapper From: Chris Rebert Cc: python-list@python.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 42 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1312447357 news.xs4all.nl 23933 [2001:888:2000:d::a6]:48852 X-Complaints-To: abuse@xs4all.nl Xref: x330-a1.tempe.blueboxinc.net comp.lang.python:10850 On Thu, Aug 4, 2011 at 1:10 AM, Thomas Rachel wrote: > Am 03.08.2011 19:27 schrieb Chris Rebert: > >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 s= hell=3D True, >> >> I would strongly encourage you to avoid shell=3DTrue. > > ACK, but not because it is hard, but because it is unnecessary and uneleg= ant > at this point. > >> You really don't want to have to worry about doing proper shell escaping >> yourself. > > That's nothing to really worry about - just doing > > def shellquote(*strs): > =C2=A0 =C2=A0 =C2=A0 =C2=A0return " ".join([ > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"'"+st.replace("'"= ,"'\\''")+"'" > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0for st in strs > =C2=A0 =C2=A0 =C2=A0 =C2=A0]) > > would do perfectly: shellquote('echo', "'", '"', " ", "\n") I was considering the more general case where one of the strings may have come from user input. You then need to also escape $looks_like_a_var, `some_command`, and way more other such stuff that your simple function doesn't cover. Even if the user is trusted, not escaping such things can still lead to bizarre unintended output/results. If the commands are completely static, then yes, I agree that lack of necessity then becomes the main argument against shell=3DTrue. Cheers, Chris -- http://rebertia.com