[Tutor] Tutor Digest, Vol 109, Issue 29
Stephen Yang
steevoyang at gmail.com
Mon Mar 11 00:30:07 CET 2013
please unsubscribe
On Sun, Mar 10, 2013 at 7:27 PM, <tutor-request at python.org> wrote:
> Send Tutor mailing list submissions to
> tutor at python.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://mail.python.org/mailman/listinfo/tutor
> or, via email, send a message with subject or body 'help' to
> tutor-request at python.org
>
> You can reach the person managing the list at
> tutor-owner at python.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Tutor digest..."
>
>
> Today's Topics:
>
> 1. Re: python on ipad (Sven)
> 2. Re: python on ipad (Fernando Salamero)
> 3. Re: python on ipad (William Ray Wing)
> 4. Re: subprocess module: when to _NOT_ use shell=True (eryksun)
> 5. Re: subprocess module: when to _NOT_ use shell=True (Eike Welk)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 10 Mar 2013 22:18:25 +0000
> From: Sven <svenito at gmail.com>
> To: Benjamin Fishbein <bfishbein79 at gmail.com>
> Cc: *tutor python <tutor at python.org>
> Subject: Re: [Tutor] python on ipad
> Message-ID:
> <CAEH=cXUJdkMPfEz2PXtA8bAVKuMAhX2V_ajFNhj7y0amNR=
> ZWw at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> On 10 March 2013 21:42, Benjamin Fishbein <bfishbein79 at gmail.com> wrote:
>
> > Hello. I wrote some python programs for my small business that I run on
> my
> > computer...macbook air. I'm planning to backpack around Mexico and
> perhaps
> > south america. I'll still be working though. Basically my computer does
> all
> > the work, I just need to have internet connections and run the programs,
> > and periodically click here and there.
> > I don't want to take my macbook with me because I'd have anxiety that
> it'd
> > get stolen and I wouldn't have any fun.
> > So I'm debating if I should get a cheap computer for a couple hundred
> > bucks and run the python scripts on it. I think this is possible because
> I
> > hear the code is the same whether it's mac or PC or whatever.
> > Or I might take my ipad with me. Or just run it on my iphone.
> > Do you know if it's possible to run python scripts on a ipad/iphone, and
> > if so how to do it?
> >
> >
> Do these scripts have GUIs or are they just CLI scripts?
>
> If they are CLI scripts then you can certainly run them on a jailbroken
> device
> http://www.rioleo.org/python-on-the-ipad.php
>
> or if you don't want to jailbreak http://omz-software.com/pythonista/
>
> although I have no idea how featured that is.
>
> Hope that helps
>
> --
> ./Sven
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://mail.python.org/pipermail/tutor/attachments/20130310/cde6716d/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Sun, 10 Mar 2013 23:52:34 +0100
> From: Fernando Salamero <fsalamero at gmail.com>
> To: "tutor at python.org" <tutor at python.org>
> Subject: Re: [Tutor] python on ipad
> Message-ID: <EC2FDFC9-9EAA-4488-B240-FE8412E90C4B at gmail.com>
> Content-Type: text/plain; charset=us-ascii
>
> Sure. Pythonista is a must have.
>
>
> https://itunes.apple.com/es/app/pythonista/id528579881?mt=8
>
>
> > Date: Sun, 10 Mar 2013 16:42:59 -0500
> > From: Benjamin Fishbein <bfishbein79 at gmail.com>
> > To: *tutor python <tutor at python.org>
> > Subject: [Tutor] python on ipad
> > Message-ID: <315460BC-0389-4E18-B7EF-0C4E1D7CA47E at gmail.com>
> > Content-Type: text/plain; charset=us-ascii
> >
> > Hello. I wrote some python programs for my small business that I run on
> my computer...macbook air. I'm planning to backpack around Mexico and
> perhaps south america. I'll still be working though. Basically my computer
> does all the work, I just need to have internet connections and run the
> programs, and periodically click here and there.
> > I don't want to take my macbook with me because I'd have anxiety that
> it'd get stolen and I wouldn't have any fun.
> > So I'm debating if I should get a cheap computer for a couple hundred
> bucks and run the python scripts on it. I think this is possible because I
> hear the code is the same whether it's mac or PC or whatever.
> > Or I might take my ipad with me. Or just run it on my iphone.
> > Do you know if it's possible to run python scripts on a ipad/iphone, and
> if so how to do it?
> > Thanks,
> > Ben
>
>
> ------------------------------
>
> Message: 3
> Date: Sun, 10 Mar 2013 19:07:32 -0400
> From: William Ray Wing <wrw at mac.com>
> To: Sven <svenito at gmail.com>
> Cc: *tutor python <tutor at python.org>, William Ray Wing <wrw at mac.com>
> Subject: Re: [Tutor] python on ipad
> Message-ID: <3B32D5FA-77C1-4F3E-9DFB-DA2225BB3B28 at mac.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> On Mar 10, 2013, at 6:18 PM, Sven <svenito at gmail.com> wrote:
>
> > On 10 March 2013 21:42, Benjamin Fishbein <bfishbein79 at gmail.com> wrote:
> > Hello. I wrote some python programs for my small business that I run on
> my computer...macbook air. I'm planning to backpack around Mexico and
> perhaps south america. I'll still be working though. Basically my computer
> does all the work, I just need to have internet connections and run the
> programs, and periodically click here and there.
> > I don't want to take my macbook with me because I'd have anxiety that
> it'd get stolen and I wouldn't have any fun.
> > So I'm debating if I should get a cheap computer for a couple hundred
> bucks and run the python scripts on it. I think this is possible because I
> hear the code is the same whether it's mac or PC or whatever.
> > Or I might take my ipad with me. Or just run it on my iphone.
> > Do you know if it's possible to run python scripts on a ipad/iphone, and
> if so how to do it?
> >
> >
> > Do these scripts have GUIs or are they just CLI scripts?
> >
> > If they are CLI scripts then you can certainly run them on a jailbroken
> device
> > http://www.rioleo.org/python-on-the-ipad.php
> >
> > or if you don't want to jailbreak http://omz-software.com/pythonista/
> >
> > although I have no idea how featured that is.
> >
>
> I have Pythonista on my iPad, and it seems to be a pretty complete
> implementation of Python and the standard libraries. It doesn't have
> Tkinter or ttk, but does have a "scene" library that supports GUI
> interfaces and games. It has a fairly active discussion forum and if you
> Google Pythonista you will get hits to several reviews - all positive. At
> $6.95, it would be worth checking out.
>
> Bill
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://mail.python.org/pipermail/tutor/attachments/20130310/1ebffe26/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 4
> Date: Sun, 10 Mar 2013 19:15:01 -0400
> From: eryksun <eryksun at gmail.com>
> To: akleider at sonic.net
> Cc: tutor at python.org
> Subject: Re: [Tutor] subprocess module: when to _NOT_ use shell=True
> Message-ID:
> <CACL+1asTKotyZ=ZLgnZXvLGY4t6TiJAhH-Rmmv7rUCS0r=
> mN6w at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> On Sun, Mar 10, 2013 at 12:56 PM, <akleider at sonic.net> wrote:
> > I've not found anywhere a clear explanation of when not to
> > set shell=True. If the command line must be interpreted by
> > the shell then clearly this must be set. So the question
> > that comes up is why not set it always?
>
> Using the shell can be a security risk for untrusted commands, as
> described in the 3.3 docs for shlex.quote:
>
> http://docs.python.org/3/library/shlex#shlex.quote
>
> > I came up with the following script that indicates that
> > the shell looks at only the first string in the array if
> > the first parameter is an array rather than a string.
> > Switching between cmd being a string vs an array and shell
> > being set or not set gives 4 possibilities.
> >
> > cmd = ["ls", "-l"]
> > # cmd = "ls -l"
>
> On a POSIX system, when you use an ags string instead of a list with
> Popen, it just adds the string to a list, which varies depending on
> the "shell" argument.
>
> Starting a new process using fork/exec hasn't fundamentally changed
> since the early Unix systems in the 1970s. A child process is forked
> and executes a new process image, with the given arguments in an array
> of pointers to strings. Popen uses uses os.fork and os.execvp (or
> os.execvpe if you supply an environment).
>
> http://docs.python.org/2/library/os#os.fork
> http://docs.python.org/2/library/os#os.execvp
>
> http://en.wikipedia.org/wiki/Exec_%28operating_system%29
>
> If shell=False, use the args list ["ls", "-l"]. Otherwise, if you use
> an args string, Popen creates the list ["ls -l"], and execvp will look
> for a file named "ls -l". Here's a silly example:
>
> >>> import os
> >>> from subprocess import Popen
>
> >>> os.environ['PATH'] += ':.'
> >>> open('ls -l', 'w').write('''\
> ... #!/bin/bash
> ... echo silliness''')
> >>> os.chmod('ls -l', 0700)
> >>> p = Popen('ls -l')
> >>> silliness
>
> If shell=True and the command is the string "ls -l", Popen uses the
> args list ["/bin/sh", "-c", "ls -l"]. This is equivalent to running
> the following:
>
> /bin/sh -c 'ls -l'
>
> This will work as expected. If you instead use the list ["ls", "-l"],
> Popen uses the args list ["/bin/sh", "-c", "ls", "-l"], which is
> equivalent to running the following:
>
> /bin/sh -c ls -l
>
> You can verify that the above doesn't work (the '-l' option isn't
> passed to ls). Here's an example to echo the parameters:
>
> >>> open('tmp.sh', 'w').write('''
> ... #!/bin/bash
> ... echo $0, $1, $2''')
> >>> os.chmod('tmp.sh', 0700)
> >>> env = {'PATH':'.'}
>
> >>> p = Popen('tmp.sh p1 p2', shell=True, env=env)
> >>> ./tmp.sh, p1, p2
>
> That worked fine, but this fails:
>
> >>> p = Popen(['tmp.sh','p1','p2'], shell=True, env=env)
> >>> ./tmp.sh, ,
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 11 Mar 2013 00:27:39 +0100
> From: Eike Welk <eike.welk.lists1 at gmx.de>
> To: tutor at python.org
> Subject: Re: [Tutor] subprocess module: when to _NOT_ use shell=True
> Message-ID: <2781446.FQqPdLVjh9 at lixie>
> Content-Type: text/plain; charset="us-ascii"
>
> On Sunday 10.03.2013 09:56:26 akleider at sonic.net wrote:
> > I've not found anywhere a clear explanation of when not to set
> shell=True.
> > If the command line must be interpreted by the shell then clearly this
> > must be set. So the question that comes up is why not set it always?
>
> Because ``shell=True`` is a security problem. It it is also not portable.
> Someone might want to run your code on windows, which has no Bash.
>
> The security problem arises when the command contains any user input. The
> user
> could enter a bit of carefully crafted text, that tricks Bash into doing
> something that you don't want. The technique is called "shell code
> injection".
>
> The nicest example is the "Bobby tables" episode from XKCD, that covers a
> similar situation with SQL injection:
>
> http://www.explainxkcd.com/wiki/index.php?title=327:_Exploits_of_a_Mom
>
> And on Wikipedia:
>
> http://en.wikipedia.org/wiki/Code_injection#Shell_injection
>
>
> --
> Eike.
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Tutor maillist - Tutor at python.org
> http://mail.python.org/mailman/listinfo/tutor
>
>
> ------------------------------
>
> End of Tutor Digest, Vol 109, Issue 29
> **************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/tutor/attachments/20130310/856c79bf/attachment-0001.html>
More information about the Tutor
mailing list