Escaping strings to be used in shell commands?
Brian Langenberger
brian at brian.cbs.umn.edu
Thu Apr 12 11:02:43 EDT 2001
Gabriel Ambuehl <gabriel_ambuehl-py at buz.ch> wrote:
: -----BEGIN PGP SIGNED MESSAGE-----
: Hello,
: I wonder what is the easiest way to escape user submitted strings so I
: can
: safely use them in os.system() calls. Limiting the allowed chars isn't
: feasible since I want them to use as safe passwords as possible and
: those generally DO consist of special chars. Any good ideas how I
: could solve this?
Try checking into the crypt or md5 modules and try encrypting the
password from within python. Someone might actually want their
password to be ";rm -rf *", which is harmless to pass to crypt()
but undesirable to send to os.system().
You really don't want to send user-submitted *anything* to os.system().
Trust us on this one.
More information about the Python-list
mailing list