Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #42863

Re: os.system() with imbeded quotes on centos

References <kjcqh6$g2n$1@reader1.panix.com> <20130405220039.GA95779@cskk.homeip.net>
Date 2013-04-05 16:36 -0700
Subject Re: os.system() with imbeded quotes on centos
From Chris Rebert <clp2@rebertia.com>
Newsgroups comp.lang.python
Message-ID <mailman.168.1365204992.3114.python-list@python.org> (permalink)

Show all headers | View raw

On Fri, Apr 5, 2013 at 3:00 PM, Cameron Simpson <cs@zip.com.au> wrote:
> On 01Apr2013 20:26, John Gordon <gordon@panix.com> wrote:
> | In <0c9717ca-52dd-49ce-8102-e1432883858a@googlegroups.com> cevyne@gmail.com writes:
> | > someip = '192.168.01.01'
> | > var1 = 'lynx -dump http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++  > junk'
> |
> | '&' is a special character in shell commands.  You'll need to quote or
> | escape it.
>
> Or better still, use the subprocess module and avoid going via the
> os.system() altogether:
>
>   http://docs.python.org/2/library/subprocess.html#popen-constructor
>
> If you must go via the os.system(), write yourself a generic function
> to quote a string for the shell, and to quote a bunch of strings
> (essentially " ".join( quoted-individual-strings )). And use it
> rigorously.
>
> Anything else is asking for shell injection attacks/errors, just
> as bad as hand constructing SQL statements.
>
> For example, if I must construct a shell command from arbitrary
> strings (like your URL) I use quote() from this:
>
>   https://bitbucket.org/cameron_simpson/css/src/tip/lib/python/cs/sh.py
>
> That code's nothing special, just what I rolled some years ago for
> exactly this purpose.

No need for third-party code, just use the std lib:
http://docs.python.org/2/library/pipes.html#pipes.quote
http://docs.python.org/3/library/shlex.html#shlex.quote

(But yeah, best of all is to just use `subprocess` with shell=False.)

Cheers,
Chris

Back to comp.lang.python | Previous | NextPrevious in thread | Find similar | Unroll thread

Thread

os.system() with imbeded quotes on centos cevyne@gmail.com - 2013-04-01 12:22 -0700
  Re: os.system() with imbeded quotes on centos Chris Angelico <rosuav@gmail.com> - 2013-04-02 06:33 +1100
  Re: os.system() with imbeded quotes on centos John Gordon <gordon@panix.com> - 2013-04-01 20:26 +0000
    Re: os.system() with imbeded quotes on centos Cameron Simpson <cs@zip.com.au> - 2013-04-06 09:00 +1100
    Re: os.system() with imbeded quotes on centos Chris Rebert <clp2@rebertia.com> - 2013-04-05 16:36 -0700

csiph-web