Costales
Reputation: 2873
How to avoid Shell Injection with a path variable and wait for command exist?
I need to read the exit of a command (then I have to wait for it in sync way):
import subprocess
subprocess.call('ls ~', shell=True)
My problem is a path like this:
~/testing/;xterm;/blabla
How could I sanitize that string from user (allowing special characters from his language)?
import subprocess
subprocess.call('ls ~/testing/;xterm;/blabla', shell=True) # This will launch xterm
I found escapeshellcmd in PHP, but I didn't find anything in Python.
PS: It's not a duplicate of this:
- Because it's the complete path, not the filename.
- And I read the
os.pathand I didn't find a solution.
Thanks in advance!
=======
Upvotes: 3
Views: 2083
Answers (1)
falsetru
Reputation: 369364
Pass a list instead of a string. And remove shell=True to make the command are not run by shell. (You need to expand ~ yourself using os.path.expanduser)
import os
import subprocess
subprocess.call(['ls', os.path.expanduser('~') + '/testing/;xterm;/blabla'])
Side note: If you want to get list of filenames, you'd better to use os.listdir instead:
filelist = os.listdir(os.path.expanduser('~') + '/testing/;xterm;/blabla')
Upvotes: 4
Related Questions
- Using Path to check if file exists when running script outside of the directory
- running shell command from python
- python call shell command and check response
- Running shell command from Python script
- os.path.exists()- passing variables fron another script
- include shell command into program python
- Execute script ignoring user's PYTHONPATH
- giving a command/shell type interaction in python
- python execute shell command and continue without waiting and check if running before executing
- Safe way to execute commands on linux server when part of command is from a user input