Re: [Pythonmac-SIG] Escaping commandline strings
On 04Jan2011 12:21, Chris Weisiger cweisi...@msg.ucsf.edu wrote: | I want to sanitize some strings (e.g. escape apostrophes, spaces, etc.) | before passing them to the commandline via subprocess. Unfortunately I can't | seem to find any built-in function to do this. Am I really going to have to | write up my own sanitizer? Not that it'd be much effort, but I'd much rather | use an official function than risk forgetting something. If it is for Bourne shell syntax, it's almost too simple to put in a library: put into single quotes and replace all inner single quotes with: '\'' You can play games with strings that are safe to not quote, etc but the above is very simple and reliable. Something like (untested): '+s.replace(', '\\'')+' Cheers, -- Cameron Simpson c...@zip.com.au DoD#743 http://www.cskk.ezoshosting.com/cs/ You Know You're in the SCA When... ...the tunes you unconsciously hum are in Latin. - Cailfind ingen Grainne ___ Pythonmac-SIG maillist - Pythonmac-SIG@python.org http://mail.python.org/mailman/listinfo/pythonmac-sig unsubscribe: http://mail.python.org/mailman/options/Pythonmac-SIG
Re: [Pythonmac-SIG] Escaping commandline strings
A friend just pointed me to pipes.quote(). Is there any reason I shouldn't just use that? And given the number of rather simple things that are already in the standard library (e.g. capitalize the first letter of a string), simplicity isn't really an excuse for excluding this functionality. Especially since doing this wrong leaves you open to security issues. -Chris On Tue, Jan 4, 2011 at 1:20 PM, Cameron Simpson c...@zip.com.au wrote: On 04Jan2011 12:21, Chris Weisiger cweisi...@msg.ucsf.edu wrote: | I want to sanitize some strings (e.g. escape apostrophes, spaces, etc.) | before passing them to the commandline via subprocess. Unfortunately I can't | seem to find any built-in function to do this. Am I really going to have to | write up my own sanitizer? Not that it'd be much effort, but I'd much rather | use an official function than risk forgetting something. If it is for Bourne shell syntax, it's almost too simple to put in a library: put into single quotes and replace all inner single quotes with: '\'' You can play games with strings that are safe to not quote, etc but the above is very simple and reliable. Something like (untested): '+s.replace(', '\\'')+' Cheers, -- Cameron Simpson c...@zip.com.au DoD#743 http://www.cskk.ezoshosting.com/cs/ You Know You're in the SCA When... ...the tunes you unconsciously hum are in Latin. - Cailfind ingen Grainne ___ Pythonmac-SIG maillist - Pythonmac-SIG@python.org http://mail.python.org/mailman/listinfo/pythonmac-sig unsubscribe: http://mail.python.org/mailman/options/Pythonmac-SIG
Re: [Pythonmac-SIG] Escaping commandline strings
In article aanlktik8e7h8-tqw2=f5f30uke_d99yytu=0dvylk...@mail.gmail.com, Chris Weisiger cweisi...@msg.ucsf.edu wrote: I want to sanitize some strings (e.g. escape apostrophes, spaces, etc.) before passing them to the commandline via subprocess. Unfortunately I can't seem to find any built-in function to do this. Am I really going to have to write up my own sanitizer? Not that it'd be much effort, but I'd much rather use an official function than risk forgetting something. The subprocess doc show how to use shlex to parse a shell-like command string. I'm not sure I understand your use case but is there a reason you can't use 'shell=False' and set up the arguments yourself, thus avoiding the need for escapes? Even if you really need to have a shell execute the string, you should be able to set up the arguments and call the shell directly. http://docs.python.org/library/subprocess.html -- Ned Deily, n...@acm.org ___ Pythonmac-SIG maillist - Pythonmac-SIG@python.org http://mail.python.org/mailman/listinfo/pythonmac-sig unsubscribe: http://mail.python.org/mailman/options/Pythonmac-SIG
Re: [Pythonmac-SIG] Escaping commandline strings
On Tue, Jan 4, 2011 at 1:56 PM, Ned Deily n...@acm.org wrote: In article aanlktik8e7h8-tqw2=f5f30uke_d99yytu=0dvylk...@mail.gmail.com, Chris Weisiger cweisi...@msg.ucsf.edu wrote: I want to sanitize some strings (e.g. escape apostrophes, spaces, etc.) before passing them to the commandline via subprocess. Unfortunately I can't seem to find any built-in function to do this. Am I really going to have to write up my own sanitizer? Not that it'd be much effort, but I'd much rather use an official function than risk forgetting something. The subprocess doc show how to use shlex to parse a shell-like command string. I'm not sure I understand your use case but is there a reason you can't use 'shell=False' and set up the arguments yourself, thus avoiding the need for escapes? Even if you really need to have a shell execute the string, you should be able to set up the arguments and call the shell directly. http://docs.python.org/library/subprocess.html What I'm doing here is writing out a shell script for each of a list of files I'm processing. The shell script has hard-coded paths in it corresponding to the input file; subprocess is used solely to invoke the shell script. I recognize this is kind of a weird setup. It's mostly here so I can delegate a chunk of functionality to be handled by a remote server queue -- just transfer the shell script over (as well as the input files), then run a queue-submit program with the shell script as the argument. I can't do that kind of thing just with subprocess. The shell script approach also makes some aspects of debugging more straightforward, but that's not why it's here. -- Ned Deily, n...@acm.org -Chris ___ Pythonmac-SIG maillist - Pythonmac-SIG@python.org http://mail.python.org/mailman/listinfo/pythonmac-sig unsubscribe: http://mail.python.org/mailman/options/Pythonmac-SIG