在os.popen中避免使用shell元字符 [英] Avoiding shell metacharacters in os.popen
问题描述
我正试图避免在便携式
时尚中使用os.popen中的shell元字符。
os.popen()似乎只是取一个字符串作为命令,需要
棘手的引用。
os.popen2()可以取一个字符串或一个列表 - Unix中的相关代码
python(在popen2.py中)正在......
def _run_child(self,cmd):
if isinstance( cmd,basestring):
cmd = [''/ bin / sh'','' - c'',cmd]
for i in range(3,MAXFD ):
尝试:
os.close(i)
除了OSError:
pass
试试:
os.execvp(cmd [0],cmd)
终于:
os._exit(1)
就我而言,这是完美的行为 - 如果你通过一个清单
它不会通过外壳而且如果你通过它确实是一个字符串。
例如
w,r = os.popen2([" ls"," -l"])
r.read()
这引出了我的问题: -
1)popen2的这种行为(字符串vs列表)是故意的吗?它不是在任何地方记录的,并且它在Windows下不起作用(给出
TypeError:popen2()参数1必须是字符串,而不是列表)
2)是否有类似的os.popen()计划?
3)是否有相当于perl quotemeta()命令。这个
引用字符串中的元字符以便在shell中使用。这是一个适合Unix的定义,但我不认为\引用有效。
在Windows中
cmd = re.sub(r"(\ W)",r" \\\ 1",cmd)
避免shell元字符攻击是安全的必要条件程序。
Python的os.exec *和os.spawn *功能相当不错,但是os.popen *部门似乎缺少
!
任何见解都会受到赞赏!
-
Nick Craig-Wood< ni ** @ craig-wood。 COM> - http://www.craig-wood.com/nick
I''m trying to avoid using shell metacharacters in os.popen in a portable
fashion.
os.popen() only seems to take a string as the command which would need
tricky quoting.
os.popen2() can take a string or a list - the relevant code in Unix
python (in popen2.py) being...
def _run_child(self, cmd):
if isinstance(cmd, basestring):
cmd = [''/bin/sh'', ''-c'', cmd]
for i in range(3, MAXFD):
try:
os.close(i)
except OSError:
pass
try:
os.execvp(cmd[0], cmd)
finally:
os._exit(1)
This is perfect behaviour as far as I''m concerned - if you pass a list
it doesn''t go through the shell and if you pass a string it does.
eg
w, r = os.popen2(["ls", "-l"])
r.read()
This leads on to my questions :-
1) is this behaviour (string vs list) of popen2 intentional? Its not
documented anywhere and it doesn''t work under Windows (gives
"TypeError: popen2() argument 1 must be string, not list")
2) is there anything similar for os.popen() planned?
3) is there an equivalent to the perl quotemeta() command. This
quotes meta-characters in a string for use in the shell. Here is a
suitable definition for Unix, but I don''t think that \ quoting works
in Windows
cmd = re.sub(r"(\W)", r"\\\1", cmd)
Avoiding shell metacharacter attacks is a must for secure programs.
Python does pretty well with its os.exec* and os.spawn* functions, but
seems to be lacking in the os.popen* department!
Any insights appreciated!
--
Nick Craig-Wood <ni**@craig-wood.com> -- http://www.craig-wood.com/nick
推荐答案
Nick Craig-Wood写道:
Nick Craig-Wood wrote:
安全程序必须避免shell元字符攻击。
Avoiding shell metacharacter attacks is a must for secure programs.
不将命令传递给shell是安全程序必须的。
你应该做的是识别一个命令,将其识别为
有效并允许一个,然后自己调用。如果您认为
逃避元字符为您提供任何安全保障,那么您就是在欺骗自己。
Istvan。
Not passing down commands into a shell is a must for secure programs.
What you should do is recognize a command, identify it as a
valid and allowed one, then call it yourself. If you think that
escaping metacharacters gives you any kind of security you are
deceiving yourself.
Istvan.
Istvan Albert< ia ***** @ mailblocks.com>写道:
Istvan Albert <ia*****@mailblocks.com> wrote:
Nick Craig-Wood写道:
Nick Craig-Wood wrote:
安全程序必须避免shell元字符攻击。
不将命令传递给shell是安全程序必须的。
你应该做的是识别命令,将其识别为有效且允许的命令,然后自己调用。
Avoiding shell metacharacter attacks is a must for secure programs.
Not passing down commands into a shell is a must for secure programs.
What you should do is recognize a command, identify it as a
valid and allowed one, then call it yourself.
我没有运行用户传递的命令 - 这将是疯狂的!
我正在运行我们编写的另一个程序。执行
运行的程序是CGI,它需要将参数传递给来自用户的第二个程序
。它还需要读取那个
程序的输出 - 因此popen。
我的帖子是关于完全避免shell。如果您使用
os.system(string),那么您将通过shell。但是如果你使用
os.spawnl(mode,file,* args)那么它就不会靠近
shell了。正如我在帖子中指出的那样,没有相当于
os.popen *它不会通过shell(除了没有文档的
os。 popen2)。
如果您认为转义元字符会给您带来任何形式的安全感,那么您就是在欺骗自己。
I''m not running commands passed by the user - that would be nuts!
I''m running another program written by us. The program doing the
running is a CGI and it needs to pass parameters to the second program
which come from the user. It also needs to read the output of that
program - hence popen.
What my post was about was avoiding the shell completely. If you use
os.system(string) then you go via the shell. However if you use
os.spawnl(mode, file, *args) then it doesn''t go anywhere near the
shell. As I pointed out in my post there isn''t an equivalent for
os.popen* which doesn''t go via the shell (except for undocumented
os.popen2).
If you think that escaping metacharacters gives you any kind of
security you are deceiving yourself.
第二个最好的转义元字符并使用os.popen将
工作,但AFAICS没有便携式元字符转义例程
内置于python中。
-
Nick Craig-Wood< ni ** @ craig-wood.com> - http://www.craig-wood.com/nick
在文章< sl ***************** @ irishsea.home.craig-wood.com>中,
Nick Craig-Wood< ni ** @ craig-wood.com>写道:
....
In article <sl*****************@irishsea.home.craig-wood.com>,
Nick Craig-Wood <ni**@craig-wood.com> wrote:
....
我的帖子是关于完全避免shell的。如果您使用
os.system(string),那么您将通过shell。但是如果你使用
os.spawnl(mode,file,* args)那么它就不会靠近
shell了。正如我在帖子中指出的那样,没有相当于
os.popen *,它不会通过shell(除了无证件的os.popen2)。
What my post was about was avoiding the shell completely. If you use
os.system(string) then you go via the shell. However if you use
os.spawnl(mode, file, *args) then it doesn''t go anywhere near the
shell. As I pointed out in my post there isn''t an equivalent for
os.popen* which doesn''t go via the shell (except for undocumented
os.popen2).
嗯,这听起来像我真正的问题是微软
Windows不支持任何功能等同于spawnv
用于管道。我不知道这是不是真的,我只是
从你那里拿走它,os.popen2不支持
$ b列表在Microsoft Windows平台上有$ b参数[1],并且推断它不是因为它不可能 - 没有任何特定的
函数这样做,你不能像在UNIX上那样滚动自己的管道/分支/ execve
,就像事实上popen2那样。
如果这真的是一个问题,而不是一个众所周知的事实,那么你可能会再次提出一个主题行,这会吸引更多微软的关注。 Windows开发人员,因为只有他们才会知道
。试图把它作为一般性的b
Python问题可能适得其反,如果它意味着
那些读过这个问题的人往往是那些美元的人b $ b并没有真正受苦。
Donn Cave,做** @ u .washington.edu
这篇关于在os.popen中避免使用shell元字符的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!