Escaping strings to be used in shell commands?
Timothy Grant
tjg at exceptionalminds.com
Thu Apr 12 14:29:54 EDT 2001
On Thu, Apr 12, 2001 at 05:50:13PM +0000, Brian Langenberger wrote:
> Timothy Grant <tjg at exceptionalminds.com> wrote:
>
> <snip!>
>
> :> Try checking into the crypt or md5 modules and try encrypting the
> :> password from within python. Someone might actually want their
> :> password to be ";rm -rf *", which is harmless to pass to crypt()
> :> but undesirable to send to os.system().
>
> : Even given this caveat, the md5crypt module will generate
> : strings that can't be passed directly to os.system()--the
> : dollar signs must be escaped. Having just been through this a
> : couple of weeks ago, the following regex solved the problem.
>
> : re.sub(r'\$', '\$', password.)
>
> That's better, of course, but I'm all in favor of not putting
> passwords, hashed or otherwise, through os.system() whatsoever.
> Any command-line arguments can show up in "ps", and having that
> sort of info flying around can't be a good idea.
>
> I figure, if you need to update passwords from a Python app, just
> build the app to update the requisite /etc files itself.
> As flat text, Python should gobble them up without a hitch.
I've been having all sorts of fun with Python and the pwd and
grp modules recently. I'll probably have a complete password
user/group/password management system done fairly soon. But in
the meantime os.system has had to suffice.
However, I am curious why there is more a problem with an app
calling the useradd command, than there is with an admin
issuing a useradd from the command line?
--
Stand Fast,
tjg.
Timothy Grant tjg at exceptionalminds.com
Chief Technology Officer www.exceptionalminds.com
HyperLINq Technologies, Inc. <>< (503) 246-3630
>>>>>>>>>>>>>Linux, because rebooting is *NOT* normal<<<<<<<<<
>>>>This machine was last rebooted: 15 days 20:37 hours ago<<
More information about the Python-list
mailing list