Securely passing arguments when opening a pipe to a program
Joonas Paalasmaa
joonas at olen.to
Fri Mar 1 17:28:02 EST 2002
Donn Cave wrote:
>
> Quoth Joonas Paalasmaa <joonas at olen.to>:
> | I am using Gnokii to send SMS messages with Python. Gnokii is started
> | with
> | popen2.popen2 like this:
> |
> | gnokiiRead, gnokiiWrite = popen2.popen2("gnokii --sendsms %s" %
> | phonenumber)
> | gnokiiWrite.write(message)
> | gnokiiWrite.close()
> | response = gnokiiRead.read()
> | gnokiiRead.close()
> |
> | The problem is that the phonenumber string is not safe; it can even be
> | "000; rm -fR ~/*". How can I securely pass arguments when opening the
> | pipe?
> | Is there a way to pass the arguments like in os.execv.
>
> Yes! I hear this isn't documented as well as it could be, but
> popen2 accepts either a string or a sequence, and in the latter
> case the sequence is argv, like in os.execv.
Thanks for the answer. I wonder why this very helpful feature isn't
documented in os-module's documentation?
More information about the Python-list
mailing list