Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #42486 > unrolled thread
| Started by | cevyne@gmail.com |
|---|---|
| First post | 2013-04-01 12:22 -0700 |
| Last post | 2013-04-05 16:36 -0700 |
| Articles | 5 — 5 participants |
Back to article view | Back to comp.lang.python
os.system() with imbeded quotes on centos cevyne@gmail.com - 2013-04-01 12:22 -0700
Re: os.system() with imbeded quotes on centos Chris Angelico <rosuav@gmail.com> - 2013-04-02 06:33 +1100
Re: os.system() with imbeded quotes on centos John Gordon <gordon@panix.com> - 2013-04-01 20:26 +0000
Re: os.system() with imbeded quotes on centos Cameron Simpson <cs@zip.com.au> - 2013-04-06 09:00 +1100
Re: os.system() with imbeded quotes on centos Chris Rebert <clp2@rebertia.com> - 2013-04-05 16:36 -0700
| From | cevyne@gmail.com |
|---|---|
| Date | 2013-04-01 12:22 -0700 |
| Subject | os.system() with imbeded quotes on centos |
| Message-ID | <0c9717ca-52dd-49ce-8102-e1432883858a@googlegroups.com> |
I get the example os.system('ls -al') no problem.
i'm trying to create a variable with my command built in it but needs to include quotes.
Portion of code is as follows:
someip = '192.168.01.01'
var1 = 'lynx -dump http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk'
print var1
os.system(var1)
If I print var1 it looks right . If I use the os.system(var1) as above it seems to have a problem near the end of the string with msg
sh: .submit=+++Go%21+++: command not found
clearly there is some escape sequence that I don't understand .
I tried combinations of single and double quotes and mixed around var1 in os.system(), but that generates command not found.
I need it to look like how I enter it manually and works
lynx -dump 'http://192.168.01.01/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk'
Probably obvious to many but i'm spinning my wheels. many thanks for help .
[toc] | [next] | [standalone]
| From | Chris Angelico <rosuav@gmail.com> |
|---|---|
| Date | 2013-04-02 06:33 +1100 |
| Message-ID | <mailman.13.1364844794.17481.python-list@python.org> |
| In reply to | #42486 |
On Tue, Apr 2, 2013 at 6:22 AM, <cevyne@gmail.com> wrote: > var1 = 'lynx -dump http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk' > lynx -dump 'http://192.168.01.01/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk' The problem is the &, which splits the command. Note how your manual execution puts single quotes around just the URL; in the other version, you're not doing that. (Though I'm not entirely sure why your > junk is inside the quotes - is that an error?) Try this: var1 = 'lynx -dump "http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++" > junk' ChrisA
[toc] | [prev] | [next] | [standalone]
| From | John Gordon <gordon@panix.com> |
|---|---|
| Date | 2013-04-01 20:26 +0000 |
| Message-ID | <kjcqh6$g2n$1@reader1.panix.com> |
| In reply to | #42486 |
In <0c9717ca-52dd-49ce-8102-e1432883858a@googlegroups.com> cevyne@gmail.com writes:
> someip = '192.168.01.01'
> var1 = 'lynx -dump http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk'
'&' is a special character in shell commands. You'll need to quote or
escape it.
Try this:
someip = '192.168.01.01'
var1 = 'lynx -dump "http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++" > junk'
Note the extra pair of double-quotes around the http:// part.
--
John Gordon A is for Amy, who fell down the stairs
gordon@panix.com B is for Basil, assaulted by bears
-- Edward Gorey, "The Gashlycrumb Tinies"
[toc] | [prev] | [next] | [standalone]
| From | Cameron Simpson <cs@zip.com.au> |
|---|---|
| Date | 2013-04-06 09:00 +1100 |
| Message-ID | <mailman.162.1365200298.3114.python-list@python.org> |
| In reply to | #42496 |
On 01Apr2013 20:26, John Gordon <gordon@panix.com> wrote: | In <0c9717ca-52dd-49ce-8102-e1432883858a@googlegroups.com> cevyne@gmail.com writes: | > someip = '192.168.01.01' | > var1 = 'lynx -dump http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk' | | '&' is a special character in shell commands. You'll need to quote or | escape it. Or better still, use the subprocess module and avoid going via the os.system() altogether: http://docs.python.org/2/library/subprocess.html#popen-constructor If you must go via the os.system(), write yourself a generic function to quote a string for the shell, and to quote a bunch of strings (essentially " ".join( quoted-individual-strings )). And use it rigorously. Anything else is asking for shell injection attacks/errors, just as bad as hand constructing SQL statements. For example, if I must construct a shell command from arbitrary strings (like your URL) I use quote() from this: https://bitbucket.org/cameron_simpson/css/src/tip/lib/python/cs/sh.py That code's nothing special, just what I rolled some years ago for exactly this purpose. The core lesson is: never waste time figuring out _whether_ you need to treat shell strings specially. Just treat them specially and consistently and be safe. Cheers, -- Cameron Simpson <cs@zip.com.au> -- cat: /Users/cameron/rc/mail/signature.: No such file or directory The Design View editor of Visual InterDev 6.0 is currently incompatible with Compatibility Mode, and may not function correctly. - George Politis <george@research.canon.com.au>, 22apr1999, quoting http://msdn.microsoft.com/vstudio/technical/ie5.asp
[toc] | [prev] | [next] | [standalone]
| From | Chris Rebert <clp2@rebertia.com> |
|---|---|
| Date | 2013-04-05 16:36 -0700 |
| Message-ID | <mailman.168.1365204992.3114.python-list@python.org> |
| In reply to | #42496 |
On Fri, Apr 5, 2013 at 3:00 PM, Cameron Simpson <cs@zip.com.au> wrote: > On 01Apr2013 20:26, John Gordon <gordon@panix.com> wrote: > | In <0c9717ca-52dd-49ce-8102-e1432883858a@googlegroups.com> cevyne@gmail.com writes: > | > someip = '192.168.01.01' > | > var1 = 'lynx -dump http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk' > | > | '&' is a special character in shell commands. You'll need to quote or > | escape it. > > Or better still, use the subprocess module and avoid going via the > os.system() altogether: > > http://docs.python.org/2/library/subprocess.html#popen-constructor > > If you must go via the os.system(), write yourself a generic function > to quote a string for the shell, and to quote a bunch of strings > (essentially " ".join( quoted-individual-strings )). And use it > rigorously. > > Anything else is asking for shell injection attacks/errors, just > as bad as hand constructing SQL statements. > > For example, if I must construct a shell command from arbitrary > strings (like your URL) I use quote() from this: > > https://bitbucket.org/cameron_simpson/css/src/tip/lib/python/cs/sh.py > > That code's nothing special, just what I rolled some years ago for > exactly this purpose. No need for third-party code, just use the std lib: http://docs.python.org/2/library/pipes.html#pipes.quote http://docs.python.org/3/library/shlex.html#shlex.quote (But yeah, best of all is to just use `subprocess` with shell=False.) Cheers, Chris
[toc] | [prev] | [standalone]
Back to top | Article view | comp.lang.python
csiph-web