Re: Sanitising arguments to shell commands
On Fri, Aug 21, 2009 at 3:55 PM, Ben Finney wrote: > Rick King writes: > >> shlex doesn't handle unicode input though, so, in general, it's not a >> good solution. > > Argh. Is there a Python bug tracker number for fixing that? Indeed there is: http://bugs.python.org/issue1170 It even has a patch. I wonder why it's unapplied. Cheers, Chris -- http://blog.rebertia.com -- http://mail.python.org/mailman/listinfo/python-list
Re: Sanitising arguments to shell commands
Rick King writes: > shlex doesn't handle unicode input though, so, in general, it's not a > good solution. Argh. Is there a Python bug tracker number for fixing that? Or is there a better solution? -- \ “Pinky, are you pondering what I'm pondering?” “I think so, | `\ Brain, but if we have nothing to fear but fear itself, why does | _o__) Elanore Roosevelt wear that spooky mask?” —_Pinky and The Brain_ | Ben Finney -- http://mail.python.org/mailman/listinfo/python-list
Re: Sanitising arguments to shell commands
shlex doesn't handle unicode input though, so, in general, it's not a good solution. Rick King Southfield MI http://docs.python.org/library/shlex.html module shlex — Simple lexical analysis New in version 1.5.2. "The shlex class makes it easy to write lexical analyzers for simple syntaxes resembling that of the Unix shell." -- http://mail.python.org/mailman/listinfo/python-list
Re: Sanitising arguments to shell commands
Ben Finney wrote: Jean-Michel Pichavant writes: Can someone explain the difference with the shell argument ? giving for instance an example of what True will do that False won't. The ‘shell’ argument to the ‘subprocess.Popen’ constructor specifies whether the command-line should be invoked directly (‘shell=False’) or indirectly through invoking a shell (‘shell=True’). If ‘shell=False’, the command-line arguments are used as direct arguments to the kernel's “run this program for me”. If ‘shell=True’ the command-line arguments are themselves passed to a new instance of the user's current shell, as a command line that *it* should invoke on the program's behalf. This allows the command line to be manipulated and interpolated etc., the way it would be if typed at a new shell prompt. Then, that shell will in turn ask the kernel “run this program for me” as it normally does after processing the arguments. I mean, I've read the doc, and to be honest, I didn't get it. I'm concerned because I'm using subprocess, but I guess my shell arg has been filled a little bit random.. Use ‘shell=False’ by default (which, since that's the default for ‘subprocess.Popen’, means you can omit it entirely), and specify exactly the command line arguments you want the kernel to execute. Only if you know you want a shell process to be involved should you use ‘shell=True’. Thank you Ben for the update. It's clear for me now, I've checked and I use it with no shell arg, except at one place, but I don't think it's intended and it happens to work anyway. I've added a small comment just in case it fails in the future. JM -- http://mail.python.org/mailman/listinfo/python-list
Re: Sanitising arguments to shell commands
Chris Rebert writes: > module shlex — Simple lexical analysis > New in version 1.5.2. > "The shlex class makes it easy to write lexical analyzers for simple > syntaxes resembling that of the Unix shell." Exactly what I needed: >>> import shlex >>> user_configured_args = "--baz 'crunch cronch' --wobble" >>> filenames = ["spam.txt", "beans.txt"] >>> command_args = ["foo", "--bar"] >>> command_args.extend(shlex.split(user_configured_args)) >>> command_args.extend(filenames) >>> command_args ['foo', '--bar', '--baz', 'crunch cronch', '--wobble', 'spam.txt', 'beans.txt'] -- \ “Pinky, are you pondering what I'm pondering?” “I think so, | `\Brain, but if we get Sam Spade, we'll never have any puppies.” | _o__) —_Pinky and The Brain_ | Ben Finney -- http://mail.python.org/mailman/listinfo/python-list
Re: Sanitising arguments to shell commands
Jean-Michel Pichavant writes: > Can someone explain the difference with the shell argument ? giving > for instance an example of what True will do that False won't. The ‘shell’ argument to the ‘subprocess.Popen’ constructor specifies whether the command-line should be invoked directly (‘shell=False’) or indirectly through invoking a shell (‘shell=True’). If ‘shell=False’, the command-line arguments are used as direct arguments to the kernel's “run this program for me”. If ‘shell=True’ the command-line arguments are themselves passed to a new instance of the user's current shell, as a command line that *it* should invoke on the program's behalf. This allows the command line to be manipulated and interpolated etc., the way it would be if typed at a new shell prompt. Then, that shell will in turn ask the kernel “run this program for me” as it normally does after processing the arguments. > I mean, I've read the doc, and to be honest, I didn't get it. I'm > concerned because I'm using subprocess, but I guess my shell arg has > been filled a little bit random.. Use ‘shell=False’ by default (which, since that's the default for ‘subprocess.Popen’, means you can omit it entirely), and specify exactly the command line arguments you want the kernel to execute. Only if you know you want a shell process to be involved should you use ‘shell=True’. -- \ “Welchen Teil von ‘Gestalt’ verstehen Sie nicht? [What part of | `\‘gestalt’ don't you understand?]” —Karsten M. Self | _o__) | Ben Finney -- http://mail.python.org/mailman/listinfo/python-list
Re: Sanitising arguments to shell commands
Ben Finney wrote: Miles Kaufmann writes: I would recommend avoiding shell=True whenever possible. It's used in the examples, I suspect, to ease the transition from the functions being replaced, but all it takes is for a filename or some other input to unexpectedly contain whitespace or a metacharacter and your script will stop working--or worse, do damage (cf. the iTunes 2 installer debacle[1]). Agreed, and that's my motivation for learning about ‘subprocess.Popen’. Can someone explain the difference with the shell argument ? giving for instance an example of what True will do that False won't. I mean, I've read the doc, and to be honest, I didn't get it. I'm concerned because I'm using subprocess, but I guess my shell arg has been filled a little bit random.. JM -- http://mail.python.org/mailman/listinfo/python-list
Re: Sanitising arguments to shell commands (was: Waiting for a subprocess to exit)
On Fri, Aug 21, 2009 at 2:08 AM, Ben Finney wrote: > How can I take a string that is intended to be part of a command line, > representing multiple arguments and the shell's own escape characters as > in the above example, and end up with a sane command argument list for > ‘subprocess.Popen’? http://docs.python.org/library/shlex.html module shlex — Simple lexical analysis New in version 1.5.2. "The shlex class makes it easy to write lexical analyzers for simple syntaxes resembling that of the Unix shell." Cheers, Chris -- http://blog.rebertia.com -- http://mail.python.org/mailman/listinfo/python-list
