Message 146150 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	pitrou
Recipients	alex, cvrebert, eric.araujo, ncoghlan, pitrou
Date	2011-10-21.23:13:22
SpamBayes Score	0.00015836857
Marked as misclassified	No
Message-id	<1319238803.66.0.0206882441393.issue13238@psf.upfronthosting.co.za>
In-reply-to

Content
Hum, in: return_code = shellcmd.shell_call('ls -l {}', dirname) listing = shellcmd.check_shell_output('ls -l {}', dirname) ...how do you know that dirname doesn't need some kind of escaping? This is not only a security issue, but a bug. Even if security doesn't matter on your system, your script will still break and/or do unexpected things. Also, I don't really understand how your recipe improves things. You're just saving one call to .format(). You would probably have the same saving by using the % operator.

Hum, in:

return_code = shellcmd.shell_call('ls -l {}', dirname)
listing = shellcmd.check_shell_output('ls -l {}', dirname)

...how do you know that dirname doesn't need some kind of escaping?
This is not only a security issue, but a bug. Even if security doesn't matter on your system, your script will still break and/or do unexpected things.

Also, I don't really understand how your recipe improves things. You're just saving one call to .format(). You would probably have the same saving by using the % operator.

History
Date	User	Action	Args
2011-10-21 23:13:23	pitrou	set	recipients: + pitrou, ncoghlan, eric.araujo, alex, cvrebert
2011-10-21 23:13:23	pitrou	set	messageid: <1319238803.66.0.0206882441393.issue13238@psf.upfronthosting.co.za>
2011-10-21 23:13:23	pitrou	link	issue13238 messages
2011-10-21 23:13:22	pitrou	create