Avoiding shell metacharacters in os.popen
nick at craig-wood.com
Wed Sep 29 21:30:12 CEST 2004
Istvan Albert <ialbert at mailblocks.com> wrote:
> Nick Craig-Wood wrote:
> > Avoiding shell metacharacter attacks is a must for secure programs.
> Not passing down commands into a shell is a must for secure programs.
> What you should do is recognize a command, identify it as a
> valid and allowed one, then call it yourself.
I'm not running commands passed by the user - that would be nuts!
I'm running another program written by us. The program doing the
running is a CGI and it needs to pass parameters to the second program
which come from the user. It also needs to read the output of that
program - hence popen.
What my post was about was avoiding the shell completely. If you use
os.system(string) then you go via the shell. However if you use
os.spawnl(mode, file, *args) then it doesn't go anywhere near the
shell. As I pointed out in my post there isn't an equivalent for
os.popen* which doesn't go via the shell (except for undocumented
> If you think that escaping metacharacters gives you any kind of
> security you are deceiving yourself.
As a second best escaping the metacharacters and using os.popen will
work, but AFAICS there isn't a portable metacharacter escaping routine
built into python.
Nick Craig-Wood <nick at craig-wood.com> -- http://www.craig-wood.com/nick
More information about the Python-list