building strings with variable input
Erik Max Francis
max at alcyone.com
Tue Jan 13 00:02:22 EST 2004
"David M. Cooke" wrote:
> Do you mean something like
> os.environ['startTime'] = '`rm -rf /`'
> ?
No, I mean something like
os.environ['startTime'] = '"; rm -rf /; : "'
The lesson to be learned here is: Do not build shell commands from
untrusted inputs. Ever.
--
__ Erik Max Francis && max at alcyone.com && http://www.alcyone.com/max/
/ \ San Jose, CA, USA && 37 20 N 121 53 W && &tSftDotIotE
\__/ You are free and that is why you are lost.
-- Franz Kafka
More information about the Python-list
mailing list