Calling an application from inside a python script Take 1

Sun Jan 7 08:22:34 EST 2001

In article <935p59$cga$1 at nntp6.u.washington.edu>, Donn Cave wrote:
>Quoth "Joel Ricker" <joejava at dragonat.net>:
>| Donn Cave wrote in message <9351o8$8qm$1 at nntp6.u.washington.edu>...

>|> try that and see what happens?  That's an intentionally hostile
>|> input (don't try it, really.)  Accidental input errors might be harmless,
>|> or might not.

>|> I didn't see anything wrong with the ssh in your initial post, the
>|> problem was system().  system() + user-supplied input = unpredictable
>|> results.  Use spawnv().

>| I'm not sure if you are familar with perl but perl has a pragma called Taint
>| that when enabled prohibits the use of user supplied input until the proper
>| input is regexed out of it - for example, usernames shouldn't have any
>| punctuation other than _ or control codes, etc.  I'm not sure exactly what
>| Python has in this regard as this is Day 1 of my Perl Recovery Program (*s*)
>| but its a mindset worth applying.

>I'd like to see people try spawnv().  (Or spawnvp(), whatever.)

>It's nice to be able to clean up input for the shell command line, and 
>maybe it's even reliable enough.  As a mindset, I'm not sure.  If you
>need to walk a high-wire, then a safety net is a good idea.  If you
>actually could just cross at the street level, but everyone takes the
>high-wire because they don't like to walk up and down the stairs and
>there's a safety net, that puts the safety net in a different perspective.
>You can still break your neck.

>Until now, we could only say "system() is scary, but the alternatives
>are complex and laborious."  Now 2.0 has a reasonably handy alternative.
>It's safer, it's faster, would appear to be portable.  Say no to
>system(), at least with calculated inputs.

>	Donn Cave, donn at u.washington.edu

 system() is scary because it spawns a shell, which parses
 the input as a command line *IN THE USERS ENVIRONMENT*.  Thus
 there are various environement settings like PATH, possibly 
 including aliases and shell functions that can also invisibly
 affect what is run.

 Note that Taint checking is not a panacea.  In only enforces
 a policy that you perform some substition/regex filtering operation
 on your strings before you pass them to your system or eval functions.
 It doesn't "know" what constitutes a safe set of filtering parameters
 for each shell or whatever.  Like a safety on a firearm it helps a good 
 programmer avoid shooting himself in the foot but it doesn't unload
 the gun for you!