Avoiding shell metacharacters in os.popen

Istvan Albert ialbert at mailblocks.com
Wed Sep 29 18:52:26 CEST 2004


Nick Craig-Wood wrote:

> Avoiding shell metacharacter attacks is a must for secure programs.

Not passing down commands into a shell is a must for secure programs.

What you should do is recognize a command, identify it as a
valid and allowed one, then call it yourself. If you think that
escaping metacharacters gives you any kind of security you are
deceiving yourself.

Istvan.



More information about the Python-list mailing list