Problem with popen() and a regular expression
Joonas Paalasmaa
joonas at olen.to
Thu Mar 7 02:14:32 EST 2002
Donn Cave wrote:
>
> Quoth Joonas Paalasmaa <joonas at olen.to>:
> | Simon Willison wrote:
> |> Joonas Paalasmaa wrote:
> |>> Simon Willison wrote:
> |>>| I've written a simple Python script to scan a bunch of URLs for "live"
> |>>| sites and grab the title of those pages. It works by using popen() to
> |>>| call lynx and analyse the HTTP response:
> |>>|
> |>>| -----------------------------------------------------------------
> |>>|
> |>>| command = "/opt/bin/lynx -mime_header http://www.bath.ac.uk/~"+user+"/"
> |>>
> |>>
> |>> Use:
> |>>
> |>> command=["/opt/bin/lynx","-mime_header","http://www.bath.ac.uk/~"+user+"/"]
> |>>
> |>> for better security.
> |>
> |> I'm a Python newbie :) How does that makes things more secure?
> |
> | If you pass a string to os.popen as the first argument, the process is
> | envoiked
> | by by running the argument in shell. That can cause problems if the
> | string is composed from non-safe variables. Imagine situation where
> | variable 'user' is "; rm -fR ~/; echo ". That causes command
> | "/opt/bin/lynx -mime_header http://www.bath.ac.uk/~; rm -fR ~/; echo /"
> | to be run in shell.
> | But if a list is passed to os.popen, os.popen will run a program named
> | in the first item of
> | the list with the rest of the list as arguments.
>
> TypeError: popen() argument 1 must be string, not list
>
> You meant os.popen2(), not os.popen().
Yes. I forgot that only os.popen2 accepts list as the first argument.
- Joonas
More information about the Python-list
mailing list