Escaping strings to be used in shell commands?
Brian Langenberger
brian at brian.cbs.umn.edu
Thu Apr 12 13:50:13 EDT 2001
Timothy Grant <tjg at exceptionalminds.com> wrote:
<snip!>
:> Try checking into the crypt or md5 modules and try encrypting the
:> password from within python. Someone might actually want their
:> password to be ";rm -rf *", which is harmless to pass to crypt()
:> but undesirable to send to os.system().
: Even given this caveat, the md5crypt module will generate
: strings that can't be passed directly to os.system()--the
: dollar signs must be escaped. Having just been through this a
: couple of weeks ago, the following regex solved the problem.
: re.sub(r'\$', '\$', password.)
That's better, of course, but I'm all in favor of not putting
passwords, hashed or otherwise, through os.system() whatsoever.
Any command-line arguments can show up in "ps", and having that
sort of info flying around can't be a good idea.
I figure, if you need to update passwords from a Python app, just
build the app to update the requisite /etc files itself.
As flat text, Python should gobble them up without a hitch.
More information about the Python-list
mailing list