Quotation Ugliness

Chris Angelico rosuav at gmail.com
Wed Nov 26 16:06:19 CET 2014

On Thu, Nov 27, 2014 at 1:58 AM, Tim Daneliuk <tundra at tundraware.com> wrote:
> The specific program in question I am modifying is
> one that takes a shell command and executes it remotely on many machines.
> The problem I am trying to solve is to determine whether the user needs to
> provide a sudo password or not.  Right now, the program just naively checks
> the arguments to see if .startswith("sudo').  As the example given
> illustrates,
> that clearly fails if the sudo is given later in a longer pipeline.
> Scanning the whole argument string for 'sudo' is better but will yield
> false positives if the string is inside a quote of some sort.  Since I have
> to solve the problem for ' and " delimiters, I thought I'd generalize the
> solution
> for other strings possibly being quoted by other delimiters.

Tell whoever asked you to do this that it's a fundamentally impossible
task. Quotes have nothing to do with whether or not "sudo" is what
will be executed. Your only solutions will involve either parsing the
entire command line, exactly the way the shell does (including knowing
everything the shell knows at the far end, like command aliases), or
letting the shell do the parsing and then tinkering with what the
"sudo" command does. You can't easily and safely predict it based on
simple string processing.


More information about the Python-list mailing list