On Fri, Apr 5, 2013 at 3:00 PM, Cameron Simpson <c...@zip.com.au> wrote: > On 01Apr2013 20:26, John Gordon <gor...@panix.com> wrote: > | In <0c9717ca-52dd-49ce-8102-e14328838...@googlegroups.com> cev...@gmail.com > writes: > | > someip = '192.168.01.01' > | > var1 = 'lynx -dump http://' + someip + > '/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk' > | > | '&' is a special character in shell commands. You'll need to quote or > | escape it. > > Or better still, use the subprocess module and avoid going via the > os.system() altogether: > > http://docs.python.org/2/library/subprocess.html#popen-constructor > > If you must go via the os.system(), write yourself a generic function > to quote a string for the shell, and to quote a bunch of strings > (essentially " ".join( quoted-individual-strings )). And use it > rigorously. > > Anything else is asking for shell injection attacks/errors, just > as bad as hand constructing SQL statements. > > For example, if I must construct a shell command from arbitrary > strings (like your URL) I use quote() from this: > > https://bitbucket.org/cameron_simpson/css/src/tip/lib/python/cs/sh.py > > That code's nothing special, just what I rolled some years ago for > exactly this purpose.
No need for third-party code, just use the std lib: http://docs.python.org/2/library/pipes.html#pipes.quote http://docs.python.org/3/library/shlex.html#shlex.quote (But yeah, best of all is to just use `subprocess` with shell=False.) Cheers, Chris -- http://mail.python.org/mailman/listinfo/python-list
