Avoiding shell metacharacters in os.popen

Nick Craig-Wood nick at craig-wood.com
Wed Sep 29 21:30:12 CEST 2004


Istvan Albert <ialbert at mailblocks.com> wrote:
>  Nick Craig-Wood wrote:
> 
> > Avoiding shell metacharacter attacks is a must for secure programs.
> 
>  Not passing down commands into a shell is a must for secure programs.
> 
>  What you should do is recognize a command, identify it as a
>  valid and allowed one, then call it yourself. 

I'm not running commands passed by the user - that would be nuts!

I'm running another program written by us.  The program doing the
running is a CGI and it needs to pass parameters to the second program
which come from the user.  It also needs to read the output of that
program - hence popen.

What my post was about was avoiding the shell completely.  If you use
os.system(string) then you go via the shell.  However if you use
os.spawnl(mode, file, *args) then it doesn't go anywhere near the
shell.  As I pointed out in my post there isn't an equivalent for
os.popen* which doesn't go via the shell (except for undocumented
os.popen2).

> If you think that escaping metacharacters gives you any kind of
> security you are deceiving yourself.

As a second best escaping the metacharacters and using os.popen will
work, but AFAICS there isn't a portable metacharacter escaping routine
built into python.

-- 
Nick Craig-Wood <nick at craig-wood.com> -- http://www.craig-wood.com/nick



More information about the Python-list mailing list