Quotation Ugliness

Tim Daneliuk tundra at tundraware.com
Wed Nov 26 15:58:59 CET 2014


On 11/26/2014 06:56 AM, Tim Chase wrote:
> On 2014-11-26 00:04, Tim Daneliuk wrote:
>> someprog.py uname && sudo cat /etc/sudoers
>>
>> vs.
>>
>> someprog.py uname && echo "sudo cat /etc/suoders"
>>
>>
>> In the first instance, I need the sudo passoword, in the second I
>> don't.
>
> This doesn't jibe with the pairs of quotes you sent and your request
> for nesting.  In most popular shells, the majority of your "quote"
> characters don't actually quote anything:
>
>    bash$ echo // hello
>    hello
>    bash$ echo /* hello */
>    [returns all the items in my root directory, the word "hello",
>    along with all the sub-directories in the current directory]
>    bash$ echo this#and#that
>    this#and#that
>    bash$ echo this # and #that
>    this
>
> and has problems with things like
>
>    someprog.py uname && su""do cat /etc/sudoers
>    someprog.py uname && s"ud"o cat /etc/sudoers
>
> which my shell will parse valid execution of sudo.

<SNIP>


I am not writing in bash,  but in python.

The specific program in question I am modifying is
one that takes a shell command and executes it remotely on many machines.
The problem I am trying to solve is to determine whether the user needs to
provide a sudo password or not.  Right now, the program just naively checks
the arguments to see if .startswith("sudo').  As the example given illustrates,
that clearly fails if the sudo is given later in a longer pipeline.

Scanning the whole argument string for 'sudo' is better but will yield
false positives if the string is inside a quote of some sort.  Since I have
to solve the problem for ' and " delimiters, I thought I'd generalize the solution
for other strings possibly being quoted by other delimiters.
----------------------------------------------------------------------------
Tim Daneliuk     tundra at tundraware.com
PGP Key:         http://www.tundraware.com/PGP/




More information about the Python-list mailing list